OpenSSL saves the day

We needed to issue a tiny patch release for one of our legacy applications. To do so we had to order a new code-signing certificate. I was a bit surprised then build failed with Invalid provider type specified error. For the some reason it was failing to sign Click Once manifest. What’s interesting signtool.exe was able to use that certificate just fine…

I was lucky enough to find amazing blog post at

I faced an issue thought… I was not able to find pvk.exe because the Dr. Stephen N Henson’s website (at was down and I found no mirrors out there…

So I used a bit different approach to tackle it:

  1. I used OpenSSL to generate PVK out of PEM using the command below openssl rsa -inform PEM -outform PVK -in demo.pem -out demo.pvk -passin pass:secret -passout pass:secret
  2. Then I used OpenSSL to generate PFX out of PVK & CER files (I had to export public key as Base-64 encoded X.509 (.CER) at first for below command to work properly) openssl pkcs12 -export -out converted.pfx -inkey demo.pvk -in demo.cer -passin pass:secret -passout pass:secret