What happens when a code signing certificate expires?

Question

I am considering purchasing a code signing certificate from VeriSign or Thawte to sign an XBAP with. My question is this: What happens when that certificate expires? $299 and $599 are pretty hefty prices for 1-year/2-year cerificates, and if I have to deliver a newly signed build to my customers whenever my certificate expires, then I'll just deal with the hassle of creating my own certificate for now.

What I don't like about creating my own certificate is the difficulty in distributing it to all of the client machines that will be using my XBAP. My application will only ever be used on a LAN, so I suppose I could always use Windows Installer to install my home brewed certificate (although I'm unsure on how to do this - anyone have any ideas?).

This wouldn't really be a problem if I was delivering a partial trust application - but my application needs Web permissions, since it will be talking to WCF services, so it is in that grey area between partial trust and full trust, and without a certificate, I get that fun ole Trust Not Granted message when I try to load my XBAP.

Any ideas?

Answer 1

What you should do if you plan to use it in a closed (LAN) environment is to setup your own CA. Windows Server versions include easy to use Certification Authority but even easier is to setup a minimal CA by means of the demoCA provided by openssl, which consists of several scripts. You can run openssl demoCA in Cygwin on Windows or natively. This demoCA consists of several perl/bash scripts that call openssl commands to generate requests, sign certificates/crls, etc.

When you have your own CA what you need to install is your CA root certificate so there will be no more hassles to update user certificates since the CA certificate will stay the same. Typically a CA certificate should last for 5-10 years, but you can configure as much as you want (remember that it is your own CA).

The CA certificate will be installed on every client machine. If your application trusts Windows System security it should be installed on IExplorer Certificate Authorities keystore. If you use a Java Application then you should distribute the CA certificate inside the Java keystore you use.

Answer 2

If you make sure to add a time stamp when signing binaries, you won't have to re-sign them when the certificate expires. Just add "/t http://timestamp.verisign.com/scripts/timstamp.dll" to the command line of signtool and the digital signature will always be marked as valid unless the certificate is revoked and the CA is trusted.

The reason code signing certificates are so expensive is that someone has to verify that you are who you say you are. In my case they verified the address and phone number, and phoned me up. Comodo's certificates appear to be slightly cheaper though.

Answer 3

If you timestamp your code while the certificate is valid the effect is that your expired certificates are good.

From Thafte Code Signing Certificate FAQs:

How long can I use a Code Signing Certificate for?

• Code Signing Certificates are valid for 1 or 2 years depending on which life cycle you choose when you purchase the certificate.Click here for pricing information. Please note: For Microsoft® Authenticode® (Multi-Purpose), you should also timestamp your signed code to avoid your code expiring when your certificate expires.

Is timestamped code valid after a Code Signing Certificate expires?

• Microsoft® Authenticode® (Multi-Purpose) allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.