Can’t Sign Code after Changing Windows Domain

Mark Berry December 3, 2012

I recently created a new Windows domain for my network with the same name as the old domain. I migrated the profile on my XP development machine using the very handy ForensIT User Profile Wizard.

Today I needed to sign some code using my VeriSign code signing certificate. But signtool.exe kept giving me this error:

"SignTool Error: No certificates were found that met all the given criteria."

When I opened Certificate Manager on the development machine, I could see the code signing certificate in my Personal store. So why isn’t it working?

On a hunch, I re-imported the certificate with its private key from a .pfx backup file. The appearance in Certificate Manager didn’t change, but I was once again able to sign code.

Apparently there are some domain permissions associated with the certificate store, and profile migration did not migrate those permissions. I’m glad that the fix was as simple as re-importing the .pfx file.

If you haven’t yet exported your code signing certificate and private key to a backup file, here’s a good reason to do so now.

Update December 5, 2012

ForensIT provided this explanation of the issue:

We are aware of the certificate store issue. The problem here is that Windows encrypts certificate information with an algorithm that uses the user’s own credentials: their username and password. When the profile is migrated and the user logs on with different credentials, the encrypted data cannot be decrypted (because the username and password have changed.)

We are researching a possible solution. However, at the moment, you need to export any certificates and then import them again after the migration.



1 Comment

  1. Registry Permissions after Domain Change | MCB Systems   |  March 01, 2013 at 6:18 pm

    […] profiles. Overall that worked great, but there have been a couple of issues. I blogged about one here. Today I think I cracked another […]

Leave a Reply





*