4

How does one convert a .snk file (for strong-name signing .NET assemblies) into a password protected .pfx file suitable for the same purpose?

Edit: to clarify, suppose I create a project in VS and in project properties, Signing, click 'New strong name key file', and elect not to protect the key file with a password:

CreateStrongKeyVS

Now imagine that a year later I change my mind and want to add a password - without trashing the assembly's identity by creating a new keypair. How do I do this?

Joe Albahari
  • 30,118
  • 7
  • 80
  • 91
  • Does this answer your question? [How to create a snk from pfx / cer?](https://stackoverflow.com/questions/8174229/how-to-create-a-snk-from-pfx-cer) – Matt May 07 '21 at 07:07
  • @Matt - not really: that describes how to go in the opposite direction (pfx -> snk) although there may be some clues there – Joe Albahari May 09 '21 at 07:11
  • I see. I have removed the close vote. – Matt May 10 '21 at 06:41

1 Answers1

5

You do not convert however you can sign an existing snk file using the Strong Name Tool (Sn.exe). (There are a few steps involved if the snk is already been protected as you need to split the strong-name part from the certificate).

The pfx is a private certificate that is created for you in Visual Studio when you select the password protection option. The password you enter is used to protect this certificate.

Is this for development or for commercial release? I would not recommend signing the assemblies with private key for development.

From the CLR Inside Out Article:

While password-protecting your key files is a much better solution than storing them in the clear, it is still not ideal. You would still have to distribute the PFX file to all of your developers, and they would all have to know the password for the PFX file. Secrets that are widely shared like this do not tend to stay secret for very long. Ideally, you should not have to distribute the private key to build and test your code during development.

Read CLR Inside Out (MSDN) Article on Using Strong Name Signatures.

HTH,

Dennis
  • 20,275
  • 4
  • 64
  • 80
  • 1
    Yes: password-protecting key files is much better than storing them in the clear. Therefore I want to convert my (non-password-protected) snk into a (password-protected) pfx without changing the public key and losing the assembly's identity. I don't have the multi-developer problem, so a password-protected pfx is ideal and less cumbersome than delay-signing. – Joe Albahari Oct 04 '11 at 07:58
  • I would argue the password-protecting is still *not* ideal. However ... I believe it is possible to do this using the Strong Name Tool (Sn.exe) - there are options to extract the public key (-p) and then recombine them. I have not needed to do such before so you will have to figure *exactly* how (what arguments etc) yourself. – Dennis Oct 04 '11 at 08:33
  • 1
    sn.exe has options to extract the public key, but not the private key. The only option that seems to extract the private key is -i which copies it into the CSP - unfortunately it marks it as non-exportable – Joe Albahari Oct 04 '11 at 09:00
  • Sorry I couldn't be more help. ... Possibly your only option will be to discard the *existing* snk file and sign with a **new** password-protected key. – Dennis Oct 04 '11 at 09:42
  • [Actually you can](http://stackoverflow.com/a/11461474/521757) extract the full SNK from a PFX, including private key. – jnm2 Nov 05 '15 at 16:49