Oh my, shock moment with my private key

So I had generated myself a private key using OpenSSL to create a CSR for an Authenticode code signing certificate from Symantec. Today the certificate was issued, but to collect it, one needs to get the key into the browser. Ooopsie daisy. Hadn’t thought of that before.

So I converted my key to PKCS12 format:

openssl pkcs12 -export -nocerts -inkey filename.key -out filename.p12

and tried to import this. But look what I got, an error dialog box showing “The PKCS #12 operation failed for unknown reasons.”:

Trying to import it using Microsoft’s certutil and certmgr.msc gave me even more bizarre errors about the certificate being empty. But they also kind of hinted me into the right direction, when reading through all of Firefox bug #1049435 left me puzzled. In fact I had given the -nocerts option as I intended to only export my private key into PKCS12 format. Of course the issue in the Firefox bug was still a possibility, but no longer the only one.

So I did what all desperateexperienced people do: trythink!

So I generated another CSR based on my private key, this time to self-sign the certificate.

openssl req -new -key filename.key -out filename.csr

… followed by the actual self-signing:

openssl x509 -req -days 365 -in filename.csr -signkey filename.key -out self-signed.crt

… and followed by the command that would combine private key and self-signed certificate into a single PKCS12 file:

openssl pkcs12 -export -inkey filename.key -in self-signed.crt -out self-signed.p12

I then imported my self-signed certificate, which included the private key, into Firefox and it happily did as asked. After the fact I collected my Symantec code signing certificate and then removed my self-signed certificate again from Firefox.

// Oliver