Get the complete information about how to renew your Code Signing Certificate?
Do you think the app on your mobile phone is safe? From financial transactions to tracking our health and consuming content, mobile apps enable us to carry out several activities. However, regarding security, businesses and app publishers must take specific measures.
According to Nokia, banking malware threats on Android devices have increased to a whopping 80%, making the security of apps essential for businesses. Code signing certificates help app publishers and developers ensure the safety of their applications.
It allows users to verify the publisher’s identity and check whether the app’s source code is intact. However, if your code signing certificate is expired, you will not be able to code sign apps. Further, if the app is not timestamped, the trusted seal of sign, which assures users of security, will disappear, and your apps may become vulnerable.
The best way to avoid such a scenario is to renew the code signing certificate. So, here we are with a comprehensive guide on the renewal process of code signing certificates. Let’s first understand why you need it!
What Happens When a Code Signing Certificate Expires?
Encryption-based certificates, whether SSL/TLS certificates, x.509-based, or code signing certificates, have expiry dates. Every certificate authority(CA) provides code signing certificates for different periods ranging from a year to five years. Once it expires, you can’t use credentials to code-sign your apps.
Therefore, you need to renew code signing certificates to ensure security for your executables. Another critical aspect is timestamping! If you have already code-signed an application and timestamped it, the certificate’s expiry will not affect the app. However, if your app is not timestamped,
- Your app will no longer be trustworthy for users to download and install
- If it is a desktop app or a web app, the user’s device will show warning messages
- You may experience a loss in revenue due to a loss of customer trust
- The renewal process may take a couple of days, causing disruptions in operation.
The best practice, however, is to renew the code signing certificate right before it expires. So, here is a step-by-step process for renewing the code signing certificate for your applications.
How To Renew Code Signing Certificate?
A code signing certificate is issued after you submit a Certificate Signing Request (CSR) to CA. So, when you renew a code signing certificate, the first step involves the generation of CSR.
Step #1: Generate CSR
The renewal process will begin with the generation of a new CSR for the Code Signing certificate. First, generate a security key pair and a CSR for the provider from which you purchased the certificate earlier.
You can use any platform to submit the CSR compatible with the CA. Here, we have taken MMC (Microsoft Management Console) for CSR generation.
#1: Open up MMC from Start Menu
#:2 Click File and browse Add/Remove Snap-ins
#3: A window will appear where you need to select Certificate and click on ‘Add’ it. Click OK button.
#4: Now, expand the certificate tab and you will see the Personal folder, which you need to right-click on it.
Select All Tasks>>Advance Operations>>Create Custom Request.
#5: You will have a Certificate Enrolment screen, click the Next button.
#6: Click option “Proceed without enrollment policy” and click Next.
#7: Ensure that Template is CNG key and format is PKCS#10 and click Next button.
#7: Now, click on the ‘Properties’ button under Custom Request.
#8: Give Friendly Name under the General tab, and Go to the ‘Subject’ tab, where you need to choose a Common name and provide value. Now, Click Add button.
#10: Now, click the Private Key tab, choose to Expand Cryptographic Service Provider, expand ‘key option’, and choose RSA key. Now, select Make Private key exportable.
#11: Under Select Hash Algorithm and select 256-bit Encryption.
#12: Click Apply and Ok buttons. Now, Click the Next button.
#13: You will be prompted to save the CSR file. Make sure the Base-64 format is tick marked.
#14: Now browse the CSR file and open it with a notepad, copy the CSR content and send it to your SSL provider.
Step #2: Validation process
It is a process where CAs will verify your identity and ensure that you are a legal entity to provide users with the assurance of security. Organization Validation Code Signing certificate needs organization authentication, proof of physical presence, and Government issued photo-ID like a Passport, Driving License, National ID, etc. After submitting the necessary documents, an organization needs to complete On-call verification.
Step #3: Download and installation
Once the certificate authority completed the verification process, the CA issues a certificate in .p12 extension and sends it in an email. Now, you have CA Bundle, and code signing certificate. Here, we have created CSR from MMC and it requires the export of a PFX file. So, let us look at this process.
#1. Open MMC on Windows.
#2. Right-click on the Certificate option. Select Export.
#3. Now, you will be prompted to export the private key. Click ‘Yes’.
#4. Under “Personal Information Exchange”, choose “Include all certificates in the certification path if possible.”
#5. Now, enter a password and browse the folder on the local machine to store the combined file.
#6. Click on the Finish button to finish the export of the PFX file. The file is on a local machine and ready to use for the Code Signing certificate.
Step #4: Sign Windows Code:
#1. After creating a PFX file, you need to code the sign machine with Microsoft’s SignTool using a PFX file.
#2. Use Microsoft Windows SDK, download and install the SignTool.
#3. Use the below command prompt and sign the PFX file.
SignTool sign /f path to your PFX file /p your PFX file password /tr
http://tsa.mysite.com /td SHA256 path to the code being signed
Now, the file code is signed and the code is ready for distribution.
The Other Installation process is as follows except you do not use MMC.
Step #1: Generate CSR
The CSR and private key should be generated from your end using the OpenSSL or verified third-party tool.
The CSR is used to configure the order and the private key should be saved on your end, as it will be required to create a PFX file. The PFX file is created by combining the private key and certificate.
Step #2: Validation process
It is a process where CAs will verify your identity and ensure that you are a legal entity to provide users with the assurance of security. Organization Validation Code Signing certificate needs organization authentication, proof of physical presence, a Government issued photo-ID like a Passport, Driver’s License, National ID, etc., and a selfie holding the same photo-ID. After submitting the necessary document, an organization needs to complete On-call verification.
Step #3: Download and installation
Once the certificate authority completed the verification process, the CA issues a certificate, Intermediate, and root certificate. You will have to create a PFX file combining, certificate, Intermediate, root certificate, and private key.
Best Code Signing Certificates Providers
There are many CAs that provide code signing certificates. In addition, you can opt for different types of code signing certificates you can choose for your applications, like EV code signing certificates, wildcard signing certificates, multi-domain certificates, etc.
Comodo Code Signing certificate signs software code and add a digital signature that keeps the code intact. The certificate ensures that the code is not altered since a developer sign it. Comodo Code Signing certificate comes with organization validation and Extended Validation type. Comodo Code Sign certificate maintains code integrity and publishers can sign 32-bit and 64-bit executable files. An end user ensures that the code is legitimate and comes from a real publisher. The certificate moreover, removes the ‘Unknown Publisher’ warning.
Digicert is another leading code signing certificate provider that offers excellent features. It supports major platforms like MS, AdobeAIR, Java, and others. Digicert ensures code integrity and prevents your app from malicious attacks through two-factor authentication. In addition, it provides up to 99% of uptime with a dedicated team for customer support.
Sectigo Code Signing Certificate
Like Comodo and Digicert, Sectigo is also an excellent choice if you want to renew your code signing certificate. It also supports recognition by Windows SmartScreen, major file formats, and platforms. In addition, Sectigo provides 24/7 technical and customer support, and issuance of the certificate takes 1-3 days.
Conclusion for Renew Code Signing Certificate
If you miss the expiration date for the code signing certificate without timestamping, the result will be a loss of the user’s trust. The lower the trust, the lesser will be app downloads and installations, leading to a loss of revenues. In other words, the best way to ensure the security and trustworthiness of the app is to renew the code signing certificate before it expires. So, don’t wait for the time to run out and renew it now.