PVK2PFX Error 0x80070490 - Cannot find certificates that match the key

Question

We got our new certificate (*.cer) file from Thawte, and i went through our standard procedures to allow it for use with code signing.

If i use our old (working) certificate:

1. Convert certificate (.cer) into Software Publishing Certificate (.spc)

   >Cert2Spc.exe Avatar.cer Avatar.spc
   Succeeded
   

2. Combine our private key file (*.pvk) with the SPC into a PFX:

   >pvk2pfx.exe -pvk Avatar.pvk -spc Avatar.spc -pfx Avatar.pfx -f
   

   prompts for private key file password, enter it, click OK

   

And we're good to go; ready to use signtool.

---

We now have our new certificate, and i follow the same procedure:

1. Convert certificate (.cer) into Software Publishing Certificate (.spc)

   >Cert2Spc.exe Avatar.cer Avatar.spc
   Succeeded
   

2. Combine our private key file (*.pvk) with the SPC into a PFX:

   >pvk2pfx.exe -pvk Avatar.pvk -spc Avatar.spc -pfx Avatar.pfx -f
   

   prompts for private key file password, enter it, click OK

   

   ERROR: Cannot find certificates that match the key.
   (Error Code = 0x80070490).
   

What's going wrong?

---

Notes:

• we've used the same private key file (*.pvk) for a decade
• this year Thawte gave us a 2-year certificate; rather than the usual 1-year
• this year Thawte changed their signing certificate from Thawte Code Signing CA to Thawte Code Signing CA - G2
• Google says that nobody has ever gotten the error Cannot find certificates to match the key.

• The Windows SDK only contains two references to the error code 0x80070490:

  • Visual Foxpro for Windows header file (vfwmsgs.h):

    //
    // MessageId: E_PROP_ID_UNSUPPORTED
    //
    // MessageText:
    //
    // The specified property ID is not supported for the specified property set.%0
    //
    #define E_PROP_ID_UNSUPPORTED            ((HRESULT)0x80070490L)
    

    Which is almost certainly a red herring; Foxpro?

  • commented out code in the RSS screensaver sample (RssItem.cs)

    // "Element not found. (Exception from HRESULT: 0x80070490)"
    

    Also almost certainly a red-herring; XML?

• decimal version of 0x80070490 is -2147023728

Answer 1

Turns out that this year we were given a new private key.

Well, you're not given a private key, the certificate+key is fetched through the browser and stored in a certificate store. From there we can export a .PFX (A pfx contains a certificate and a private key).

With this PFX exported from the browser's certificate store, we can use it directly to sign code with signtool.

Note: We were actually gluttons for punishment, and went through steps:

+--[.pfx]---+     +--[.cer]---+     +--[.spc]---+           +--[.pfx]---+
|Certificate|====>|Certificate|====>|Software   |=========> |Certificate|
|    +      |     +-----------+     |Publishing |           |     +     |
|Private Key|==+       +            |Certificate|   +=====> |Private Key|
+-----------+  |                    +-----------+   |       +-----------+
               |                                    | 
               |                                    |
               |  +--[.pem]---+     +--[.pvk]---+   |
               +=>|Private Key| ==> |Private Key|===+
                  +-----------+     +-----------+

But all that route gave us was a private key file (*.pvk) that wasn't protected with a password; so signtool could run without user interaction.

But the answer to this question was: The private key doesn't match the certificate.