Tuesday 9 December 2008

Signing Adobe AIR files with Authenticode Certificates

There are some things that always seem a little trickier than they should be. Renting an apartment in London that has working heating and hot water is one of them, converting an Authenticode certificate from SPC and PVK files to a format that you can sign Adobe AIR files with is another.

Since I still haven't figured out the former, I'm going to write about the latter.

First things first, if you're going to get a certificate solely for signing AIR files, then buy one from Verisign or Thawte specifically for AIR. It's just easier.

If, however, you want to use your certificate to sign .NET applications as well, then get a Microsoft Authenticode certificate. You can use that certificate to sign AIR apps and well as .NET apps. We got our Authenticode certificate from Verisign, but there are other vendors. If this is what works for you, then the following might be helpful. If you have haven't already done so, go away and buy the certificate now - I'll see you again when you have downloaded a PVK file and an SPC file.

So, let's skip forward a few days. You've got your PVK file (the private key), and the SPC file. You're probably wondering how to turn those files in to a PFX file that you can use with ADT to sign files. Hopefully, these steps should help. Oh, I'm assuming that you're using a PC here...

Firstly, you need to ask yourself two questions:

  1. Do you feel lucky?

  2. Can you find a tool called pvk2pfx on your machine. This is a pain to get hold of, but lives in bin directory of most Microsoft SDKs.

If you're lucky AND you can find pvk2pfx, then skip forward a little. If you can't find it, then read on.

I don't have pvk2pfx, I need something else

Worry not, this is still completely possible...

  1. Get a tool called pvkimprt. You can download it from Microsoft. Run the self extracting whatsit, then run the installer, and make a note of its final resting place.

  2. Open up a commmand prompt (Start, Run, "cmd").

  3. Change to the directory where pvkimprt ended up.

  4. Run:
    pvkimprt -PFX <path\to\cert.spc> <path\to\key.pvk>

  5. Choose the following options:

    Choose to export the private key...

    Choose the PFX format, choosing to include certificate chain and use strong protection.

    Choose a password...

    Select a location to save the pfx file

    This is what success looks like...

  6. You can use the resulting pfx file to sign an Adobe AIR file with adt.

You're done! You might want to ignore the rest of this post, it will make you wish you were luckier. Any questions/mistakes/omissions, feel free to ask...

I'm lucky, I have pvk2pfx

This is much easier. Simply:

  1. Open up a commmand prompt (Start, Run, "cmd")

  2. Change to directory where you found pvk2pfx.

  3. Run:
    pvk2pfx -pvk <path\to\key.pvk> -pi <pvk password> -spc <path\to\cert.spc> -pfx <path\to\output.pfx> -po <new password for pfx file> (all on one line)

  4. You can use the resulting pfx file to sign an Adobe AIR file with adt.

I hope that was helpful!


  1. I could have really done with this a few months ago! It seems there are some great articles out there if you intend to buy a new certificate and start from scratch but many organisations already have some sort of certificate and there isn't much out there about putting the pieces togther.

  2. Thanks! saved me time and cash :)

  3. Thanks for your post. It was quite helpful. I posted another solution here (http://stackoverflow.com/questions/4506070/signing-an-adobe-air-application-with-an-spc-file/4506135#4506135) that you and your readers might want to consider in the future.


Note: only a member of this blog may post a comment.