Menu
Q: What happens if the Code Signing certificate expires? A: Code Signing certificates are issued for a period of one to three years. The expiration of a Code Signing certificate means that you cannot create new signatures. All past signatures will work for a given timestamp.
When using an expired certificate, you risk your encryption and mutual authentication. As a result, both your website and users are susceptible to attacks and viruses. For example, a hacker can take advantage of a website with an expired SSL certificate and create a fake website identical to it.
However, the renewal of a code signing certificate before it expires is an easy solution. In other words, simply re-purchase your code-signing certificate from the same certificate authority you purchased earlier, or else you can even switch to another Certificate Authority.
Code Signing certificates are valid for 1 to 3 years depending on which life cycle you choose when you purchase the certificate. See: pricing information. You should also timestamp your signed code to avoid your code expiring when your certificate expires.
If you timestamp your code while the certificate is valid the effect is that your expired certificates are good.
From Thawte Code Signing Certificate FAQs:
How long can I use a Code Signing Certificate for?
Is timestamped code valid after a Code Signing Certificate expires?
Watch out for certificates with WTD_LIFETIME_SIGNING_FLAG set: It means (despite what you mind assume from the name) that a program signed with the certificate is invalid after the certificate expires, even though the program hasn’t changed, and the certificate was valid when it was signed.
This also affects updates, in that even if the customer checks the box to trust all programs from your company, if your update program isn't signed with the same cert (or that cert expires) then the trust fails.
From: http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
Timestamp Processing with Lifetime Signing Semantics
Applications or certification authorities that do not want timestamped signatures to verify successfully for an indefinite period of time have two options:
• Set the lifetime signer OID in the publisher’s signing certificate.
If the publisher’s signing certificate contains the lifetime signer OID in addition to the PKIX code signing OID, the signature becomes invalid when the publisher’s signing certificate expires, even if the signature is timestamped. The lifetime signer OID is defined as follows:
szOID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13
• Set the WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure when calling WinVerifyTrust.
If a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure and the publisher’s signing certificate has expired, WinVerifyTrust reports the signature as invalid even if the signature is timestamped.
If a publisher revokes a code signing certificate that contains the lifetime signer OID or a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure, WinVerifyTrust reports the signature as valid if both of the following conditions are met:
• The signature was timestamped before the revocation date.
• The signing certificate is still within its validity period. After the validity period expires, the signature becomes invalid.
For Example: https://forum.startcom.org/viewtopic.php?f=15&t=2215&p=6827&hilit=lifetime+signing#p6827
That is a serious problem with StartSSL certificates. It doesn't surprise me that there are limitations in a certificate that cost so little, but burying this limitation in the fine print or in an old forum post instead of making it clear in the product description is poor business. They may fix it in the future, and others may or may not have the same limitation so an email to check before you spend might be wise.
Guess who didn't know to ask? LOL... oh well, live and learn.
If you make sure to add a time stamp when signing binaries, you won't have to re-sign them when the certificate expires. Just add "/t http://timestamp.verisign.com/scripts/timstamp.dll" to the command line of signtool and the digital signature will always be marked as valid unless the certificate is revoked and the CA is trusted.
The reason code signing certificates are so expensive is that someone has to verify that you are who you say you are. In my case they verified the address and phone number, and phoned me up. Comodo's certificates appear to be slightly cheaper though.
What you should do if you plan to use it in a closed (LAN) environment is to setup your own CA. Windows Server versions include easy to use Certification Authority but even easier is to setup a minimal CA by means of the demoCA provided by openssl, which consists of several scripts. You can run openssl demoCA in Cygwin on Windows or natively. This demoCA consists of several perl/bash scripts that call openssl commands to generate requests, sign certificates/crls, etc.
When you have your own CA what you need to install is your CA root certificate so there will be no more hassles to update user certificates since the CA certificate will stay the same. Typically a CA certificate should last for 5-10 years, but you can configure as much as you want (remember that it is your own CA).
The CA certificate will be installed on every client machine. If your application trusts Windows System security it should be installed on IExplorer Certificate Authorities keystore. If you use a Java Application then you should distribute the CA certificate inside the Java keystore you use.
Just had this problem. I found in this article the explanation and together with @BCran's answer I solved it. Summary:
This is how you would do it in VS.NET 2017 for example:
If the URL doesn't work, you can use any service, here are a bunch of URLs that work: https://stackoverflow.com/a/9714864/72350
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With