Comments on: Buying a Microsoft code-signing certificate from Thawte? Don’t use Vista.

By: Soeren

Soeren — Thu, 08 Jul 2010 12:03:54 +0000

You can use Jailbreak (https://www.isecpartners.com/jailbreak.html) for exporting certificates marked as non-exportable from the Windows certificate store.

By: David 'dex' Schwartz

David 'dex' Schwartz — Fri, 02 Jul 2010 04:56:13 +0000

The new terminology on the Thawte certificate center web page(s) is "Revoke and Replace" This page Download and Install Microsoft® Authenticode® (Multi-Purpose) Certificate requested with IE7 on Vista/Windows 7 contains the following note Please Note: The certificate and key are installed to the browser with the key marked as "Not Exportable". This means you cannot move your certificate or key to another machine, although you can still sign as per normal from the same system you enrolled from. If a .pfx file is needed, the certificate will need to be replaced with a windows xp machine. Replacement details: SO942 To replace a Code Signing Certificate follow the instructions below: Read the conditions for a replacement at the following link: SO750 Doing the recommended steps on a Windows XP machine allowed the download of the .pvk file and generation of a new certificate.

By: Harry Johnston

Harry Johnston — Sun, 11 Apr 2010 22:49:38 +0000

I’m not absolutely certain, but I have a strong suspicion that Microsoft did not design Internet Explorer’s certificate-generating functionality to be used in this way.

You shouldn’t be generating a code-signing certificate from an on-line machine anyway. To keep the key safe, it should be generated, stored and used only on isolated machines, i.e., with no network connection.

By: Damien

Damien — Wed, 22 Jul 2009 15:07:28 +0000

I currently work for Thawte Technical Support and one of our customers refered me to the article, it is very well written, the only point I had an issue with was the revokation/reissue process for the certificate.

The certificate needs to be reissued, not revoked, when you reissue from http://www.thawte.com/reissue using Windows XP you will be assigned a new pvk (private key) and order id, then the new certificate is issued and the previous order is revoked as part of the reissue process.

If you just revoke the certificate they will no no longer be able to reissue and the customer would need to place a new order instead of just reissuing which is free.

Damien
Thawte Tech Support

By: Sam

Sam — Sat, 11 Jul 2009 01:11:50 +0000

Thanks for the posting! i spent a few days on this issue & now need to get a XP machine.

This whole issue seems complete lunacy… someone from Microsoft should have go to jail for imposing such restriction!