#thawte #code #signing #certificate
Introduction to Code Signing
Where to start
I created this page as I was trying to obtain my own software publisher’s certificate because it seemed to me that there was a lack of clear, substantive information available. I probably spent 30 minutes navigating through Microsoft’s website trying to figure out where I could get a code signing certificate and what kind I needed. I also had trouble making sense of the differences in terminology from web site to web site, and I wondered what the difference was between digital signatures, digital certificates, code signing certificates, X.509 certificates, ssl certificates, public key certificates, and software publisher’s certificates. As I began to research to try to better understand how digital signatures worked, I realized that it wasn’t just me who was confused. Even within the industry itself I saw more than one web site with information about signing certificates that seemed to be written by someone who didn’t have a clear idea of what he was writing about.
Here I’ve tried to cover the basics of code signing in a way that is both clear and progressive, meaning that I won’t reference terms and concepts without first explaining what they are.
Quick Reference Guide
Price for a Microsoft Authenticode Digital Certificate for one year
For a corporation: You’ll need to know what kind of download you are providing (or the file extension) and your signer identification information. You may also need a D-U-N-S number to provide the certification authority with verification that your organization is still in existence. And you’ll need to pledge that the software you are distributing is safe.
For an individual: You’ll need your name and address and supporting materials to confirm your identity and stated purpose. And as with the commercial certificate, you’ll need to pledge that the software you are distributing is safe.
For both corporations and individuals, the process of obtaining the certificate will probably begin with a payment followed by the submission of a Certificate Signing Request (CSR). As part of the request, you will be asked to complete a series of entries (probably the name of your business and your location including city, state, and country). During this process, a pair of keys will be generated and encrypted to create the certificate that will later be used to authenticate your download. You may also find software to generate and encrypt these keys on your own, and for some kinds of certificates this may be required.
Different signing authorities and file types will require different software and procedures to complete the steps required to create the CSR. Find instructions specific to your certificate and signing authority and follow them carefully. (note: in most cases CAs have automated and streamlined this process, and the steps involved will be fairly straightforward and simple.
Cisco’s help resources state that the product of the CSR generated using their wireless control system looks like this:
—–BEGIN NEW CERTIFICATE REQUEST—– MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdTYWMQwwCgYDVQQKEwNYW
—–END NEW CERTIFICATE REQUEST—–
Depending on the CA, this may need to be copied and pasted into a text editor like notepad and submitted through the CA’s enrollment tool, or the submission may be automated. The signing authority will then send you your certificate via email.
That depends, but probably at the very least anyone who downloads your program will see a warning message stating that the publisher could not be verified and that the file may contain malicious code. In some cases the download can even be blocked automatically. In others the users will elect to abort the download.
Resources and Sponsors
- Microsoft approved root certificate authorities
- Extended Validation (EV) Guidelines
- FPKI Methodology
- IBM SSL Enhancements
- Using Cisco software to create a CSR