Download Certificate and signtool

I am trying to download certificate on the disk as .PFX file and run signtool using it but somehow I am unable to get the correct certificate.

I tried couple of options like :
Option 1
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($OctopusParameters[“p.certificate.Pfx”])) | Out-File -Encoding “ASCII” “X:\TestLocation\cert.pfx”

Option 2
#$OctopusParameters[“p.certificate.Pfx”] | Out-File -Encoding “ASCII” “X:\TestLocation\cert.pfx” -Force -Verbose

Even tried RawOriginal.

It creates a .PFX file named ‘cert.pfx’. But when I run a signtool using the cert like below :
& “${signtoolPath}” sign /f “X:\TestLocation\cert.pfx” /p $OctopusParameters[“p.certificate.Password”] $file.FullName

I am getting error below if I create certificate file using Option 1 :

SignTool Error: An error occurred while attempting to load the signing **
March 15th 2021 16:15:34Error
** certificate from: X:\TestLocation\cert.pfx

And get error below if I create certificate file using Option 2 :
Error information: “Error: Store::ImportCertObject() failed.” (-2146885630/0x80092002)

If I run the same signtool with the original .pfx that I upload to Octopus, it works fine.

Any advice would be helpful.

Thanks

Hi tejpal.chohan,

Thank you for reaching out to us with your certificate query.

There are a number of possible causes for this which would need to be investigated. I’ve outlined the key things to try below:

  • Try printing one of the certificate attributes to the log
    It could be worth trying to print one of the other certificate variable attributes, such as the certificate name, to the console to verify whether that the certificate is being loaded correctly.

  • Try running the Tentacle as a different user
    I can see discussions online that suggest the signtool utility doesn’t run reliably under the local system user and may need to be ran as a different user. You could try running the Tentacle as a different user to see if this is the case.

  • Verify the contents of the created PFX file manually
    Another option could be to create the PFX file using the methods described in your post and then manually compare the created file to the original one that is stored in Octopus Deploy. This could highlight whether there are any issues with the format.

This will hopefully point you in the direction of the issue. Please let me know how you get on.

Best Regards,

Charles

Thanks Charles for the information.

Seems like out-file pipeline in Powershell itself not generating the expected pfx file. I managed to resolve the issue by using above in conjunction with ‘Get-PfxData’ and ‘Export-PfxCertificate’ Powershell commands as below:

#Get the pfx certificate content from stored certificate
$pfxContent=$OctopusParameters[“MyCertificate.Pfx”]
$pfxContent | Out-File $pfxFile -Force

#extract pfx data
$pfxData= Get-PfxData -FilePath $pfxFile -Password $securePassword
#write-host $pfxData

#create temporary pfx file to use in signtool
Export-PfxCertificate -PFXData $pfxData -FilePath $pfxFile -Password $securePassword

And then used the final $pfxFile in Signtool.

Happy to close the ticket.

Thanks

Hi tejpal.chohan,

That’s great, thank you for sharing your solution!

Please get back to us if you have any other questions.

Best Regards,

Charles

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.