I spent nearly 6 hours compiling multiple sources together and trying more than 2 dozen times to get this information correct. This information should work across most CA services but will for sure work for GoDaddy.
Create Private Cert
Following the instructions from https://www.godaddy.com/help/windows-generate-csr-for-code-or-driver-signing-certificate-7282 is probably the easiest. It would be fairly hard to write all of that out. Once you have your private cert and you’ve actually gotten the zip file from your CA vendor continue with the rest of this.
Create a PVK file.
First export your cert from the store into a PFX file.
openssl pkcs12 -in YourPFXFile.pfx -nocerts -nodes -out YourPEMFile.pem
Modify the returned PEM file and remove any additions data. Your file should only contain the certs themselves. (starting with
---BEGIN PRIVATE KEY---- and ending in
---END PRIVATE KEY----
Next convert the file into a PVK file.
openssl rsa -in YourPEMFile.pem -outform PVK -pvk-strong -out YourPVKFile.pvk
Merge CA SPC file with your own PVK file
Use pvk2pfx.exe to merge the SPC and the PVK file together into a single new PFX file.
pvk2pfx.exe -pvk YourPVKFile.pvk -pi <yourpassword> -spc VendorSPCFile.spc -pfx NewPFXFile.pfx -po <yourpassword> -f
And with that done you now have a PFX file fit for importing. You should perform the import from MMC and once you’ve done so you should see both your cert and your vendors cert get imported.
Assembly Signing Cert
The assembly signing cert needs to be only your cert and can not contain any CA vendor certs in it. The following command export only your cert and then makes it a PFX file again.
openssl pkcs12 -in NewPFXFile.pfx -out backupcertfile.key
openssl pkcs12 -export -out PFXToSignWith.pfx -keysig -in backupcertfile.key
Some final important notes is that you need to import the “NewPFXFile.pfx” BEFORE anything else. Then you can use the PFXToSignWith.pfx file as the assembly signing certificate. You should be able to use the cert in your certificate store for ClickOnce signing.