Object Already Exists error in Visual Studio 2005/2008

May 25, 2018 in Windows and Code Signing

Changing from AT_KEYEXCHANGE (1) to AT_SIGNATURE (2)

Using CertUitl from Windows Server 2003 SP1 or later you can force KeySpec to match your wishes/needs when importing a PFX (aka PKCS#12) file.
The steps to follow are:

Using the 'Certifiates' MMC export the existing keyset (KeySpec=1) to a PFX file.
Note: Please backup this file to a safe location and test if the file can be imported ok on another machine before moving on to the next step.

Delete the existing certificate from the crypto store (stlll using the MMC).

Open up a command prompt (CMD.exe)

Import the PFX file using this command:
-> certutil -importPFX -user 'pfxfilename' AT_SIGNATURE

Enter the passphrase for the pfx when prompted.

You now should have a keyset/Cert with KeySpec=2. If needed you can now export this into another PFX file using the MMC again.

Alternatively if the above does not work you can use OpenSSL and explicitly set the the PFX for key signing.

- > openssl pkcs12 -export -out MY_PFX_FILE.pfx -keysig -inkey Key.pvk -in mycert.spc -- Only if you have the SPC and PVK files.

- or -

- > openssl pkcs12 -in MY_PFX_FILE.pfx -out BACKUP_PFX_FILENAME.key -- This protects you from overwriting the current PFX.
- > openssl pkcs12 -export -out MY_NEW_PFX_FILE.pfx -keysig -in BACKUP_PFX_FILENAME.key --Mark PFX for Key Signing.

Related Links:
* Windows Server 2003 Service Pack 2 Administration Tools Pack for x86 editions (XP/Server 2003)