FAQs: Frequently Asked Questions – Code Signing Certificate

Here are some common questions about Code Signing Certificates.

What are the different types of available Code Signing Certificate?

Two different types of Code Signing Certificates are offered:

 

  1. Standard Code Signing Certificate also called as Organization Validated (OV) Code Signing Certificate
  2. Extended Validated (EV) Code Signing Certificate
Is there any need to sign DLL files that are included within my application?

Generally, Windows does not check signatures on DLLs if it’s loaded by an executable. Though some exceptions arise such as DRM-related DLLs & all modules on WindowsRT/ARM, if that’s not the case then it’s okay to skip signing the DLLs. Moreover, the ultimate reason to sign a .DLL file is to check integrity every time your application launches.

Do the requirements for signing code differ from one platform to another?

Yes. The requirements for signing code differs from one platform to another. The requirements for signing a JAR file will not be the same as a Windows portable executable file. Moreover, requirements for signing applications on iOS & OS X also different from each other, additionally, how and where you will distribute the application also matters when it comes to signing requirements.

What is a Code Signing Certificate and how does it differ from SSL/TLS (X.509 latest v3) Certificate?

Some of the differences are that SSL/TLS Certificates are preferred whenever you want to activate HTTPS URLs for websites whereas Code Signing Certificates are used to apply a digital signature to software & code for avoiding tricky warnings whenever someone tries to install it. Another major difference is that SSL/TLS certificates are used to encrypt communications between clients & servers and Code Signing Certificates are used for encrypting the signature & timestamp as one part of the signature block. Put simply, SSL certificates are used to encrypt communications of websites & Code Signing are used to protect software.

Is it possible to sign files remotely?

No, both Standard Code Signing Certificates, as well as EV Code Signing Certificate, cannot be accessed through RDP (Remote Desktop.) It’s mandatory that the USB token is plugged into the local computer (for EV).

However, it’s possible to use local USB token for signing file on a remote machine but, it’s not possible to use a remote USB Token for signing any file.

For signing code in Windows, what are the requirements?

Requirements for signing code in Windows differs depending upon the Windows version and the type of code to be signed.

For example, the requirement for signing code in Microsoft will be different, if it runs in user-mode as it uses the certificate that is chained back to a trusted CA (Certificate Authority) like Comodo whereas it will be different when run in kernel-mode as the certificate chain ends at Microsoft Root CA.

Moreover, in Windows 10 there are some additional requirement like Kernel-mode drivers needed to be signed by the Windows Hardware Developer Center Dashboard Portal, which needs an EV Code Signing Certificate to access.

Are there any additional factors or requirements when it comes to Windows Code Signing?

An additional requirement is the signature algorithm used for signing the certificate and the signature algorithm used for signing code as its usage differs depending upon the usage of Windows platform version.

Do utilities differ depending upon the platforms for signing files or codes?

Yes, utilities differ depending upon the platforms used for signing files or codes.

Windows:

In Windows, Microsoft signtool is one of the utilities used for situations such as signing different drivers & executable files. It comes in the bundle as part of Windows SDK, where it works with both standard code signing certificates as well as EV code signing certificates.

Java:

When it comes to signing codes in Java, Jarsigner is used, which comes bundled with the Java JDK as it provides support for .pfx files, provided you are aware of the alias. Moreover, Jarsigner also supports EV Code Signing, though it’s a little advanced and editing of the configuration file is required for specifying the slot of the USB token.

Apple:

Here both Standard, as well as EV Code Signing certificates both, can sign files such as .dmg & .app, but again local default Gatekeeper policy on OS X and the Apple App Store policy ask to use the certificates only issued by Apple tied to an Apple Developer ID.

Moreover, code signing certificates from other CAs can be used to sign things such as profiles and policies on OS X. Lastly, the default utility on OS X for signing code is known as codesign.

Are CodeSigningStore.com Certificates SHA256?

Yes! All the provided Code Signing Certificates are SHA256.

All the Code Signing Certificates issued after September 2014 are SHA256 unless you request for a SHA1.

Can I sign driver files (*.sys) with these certificates or can I use a Kernel Mode Driver Signing Certificate to sign driver files?

Note: For Kernel Mode Driver Signing in Windows 10 EV Code Signing Certificate is required.

For Kernel-Mode Code Signing (Windows Vista till Windows 8.1), OV Comodo Code Signing Certificates can be used.

  • Download your Code Signing certificate’s Root CA which match with the Comodo cross-signed CA
  • Open an elevated command line of Windows (cmd) & run signtool.exe:

signtool.exe sign /v /p /ac “CROSS_SIGNED_COMODO_CA_HERE” /f YOUR_PFX_HERE /tr http://timestamp.comodoca.com/rfc3161 “FULL_PATH_TO_FILE_TO_SIGN”
For E.g.:
signtool.exe sign /v /p /ac “AddTrustedExternCARoot_kmod.crt” /f my.pfx /tr http://timestamp.comodoca.com/rfc3161 “C:\\egfile.dll”

Note:
Mostly for customers CROSS_SIGNED_COMODO_CA_HERE will be:
https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/941/0/root-addtrustexternalcaroot
or
https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/962/0/kmcs-addtrust-external-ca-root
or (for newer (EV Certificates & RSA/SHA256 Certificates)
https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/963/93/kmcs-comodo-rsa-certification-authority

Read Microsoft’s Kernel-Mode Code Signing Walkthrough for instructions & information regarding Kernel Mode signing certificates.

Who can get a Code Signing Certificate?

Anyone, who comes under legal entities like any registered companies or a publisher recognized as a business.

A code signing certificate is a product of identity verification so it can only be issued to “legal entities,” like registered companies or to individuals (the name is used as the “Publisher”).

Another instance where you can get a code signing certificate is like if your business is only you registered with “Doing Business As” another name registered with your Local or State Government and recognized by 3rd parties such as telephone companies, banks, utility companies.

The code signing certificate cannot be issued to your website as the publisher unless the website is a registered business name like Amazon.com.

To know more about the list of documents required, read “Validation Requirement” the CAs might ask.

How Much Does a Code Signing Certificate Cost?

Validity period for Code Signing Certificate remains up to 3 years.

To know current pricing read You can contact us through an email to find a better price if you see a lower published price compared to our price range.

Is free trial available for a Code Signing Certificate?

Unfortunately, it’s not available for a free trial, as every transaction goes through a validation process where the customer’s identity is verified.

Though, we offer 100% money back guarantee within 30-days of purchase. If you are not satisfied with the purchased certificate or due to any other reason you don’t want, you will get back your money.

How much time does it take to get a Code Signing Certificate?

Once you submit all the required documents & validation process completes, your certificate will be issued which usually takes up to 1 to 3 days.

What is a timestamp?

Timestamp means to preserve the signature on your software. It helps in allowing the operating system to accept the software even after the expiration of the Code Signing Certificate. The benefit of using Timestamp is that it allows the validity of the signature to be checked against the time it was signed rather than the current time of the execution of software.

What are the supported browsers?

The importance of browser is only at a time of ordering & collecting a code signing certificate. While requesting for Code Signing Certificate, the browser is essential for creating the CSR & to generate & store the private key temporarily into your browser. The recommended web browser is Apple Safari or Internet Explorer which helps in avoiding the unwanted warnings & options which are possible in other browsers.

Note: Mobile browsers are not supported for ordering.

What to do after clicking the collection link and installing my Code Signing Certificate?

You must export the certificate into a file before you can start using. Go through these articles and learn how to export the certificate based on your used web browser.

Can we use Code Signing Certificates for kernel mode driver signing?

Yes, you can use Code Signing Certificates for signing kernel mode drivers.

Will code signing certificates support OSX/iOS, Mozilla, Java, Android, Flash, Adobe AIR, Silverlight & MS-Office?

Yes, one certificate is more than enough to sign all the supported platforms whether its Mozilla, OSX/iOS, Android, Java, Adobe AIR, Flash, Silverlight, MS-Office does not matter.

What is a .p12 file or PKCS12 file?

.p12 is one of the alternate extension of “PFX file,” which consist of the private key & certificate in combination. It’s one of the formats used by all the major signing utilities. If you have exported any .p12 file from Safari or Firefox with .p12 extension merely rename to .PFX if you want as it’s the same format.

In case your signing tool refers to a PKCS12 file, that’s also the same.

What is CodeSigningStore.com refund policy?

If the certificate you purchase does not work as planned or bought by mistake, no need to worry. Any certificate obtained from our website comes with a money back guarantee. At CodeSigningStore.com, you can cancel your order and ask for a refund. You will get back your paid amount without charging any fees if it’s within 30-days of the period from the issuance date. Read full Refund Policy.

Why are Code Signing Store.com's prices so low?

At CodeSigningStore.com, we offer the same code signing certificates with all the latest features as you get directly from the authorized Certificate Authorities but at much lower price range, the reason is that we’re purchasing in extremely bulk quantity at a discounted price which makes it affordable for us to pass a massive discount to our customers.

How To Generate A Code Signing Certificate Request (CSR)?

After purchasing a certificate, open the generation page in Apple Safari or Internet Explorer and follow the prompts to complete the CSR. It’s that simple!

How To Complete Validation For Your Code Signing Certificate?

Please select the relevant guide for your selected product:

How To Collect / Download Your Code Signing Certificate?

Please select the relevant guide for your selected product:

What happens when my Code Signing Certificate expires?

Code signing certificates come with a validity period of 1 to 3 years. The time your certificate expires, it loses the capability to create a new signature, though past signature remains valid if you’ve timestamped your software at the time of signing.

Will a Code Signing Certificate get rid of the "This file may harm your computer" warning my users are seeing?

Usually, it will. The “This file may harm your computer” warning message is a Microsoft software named SmartScreen generated. This software SmartScreen checks the reputation of the file and warns users that it’s not downloaded often. The digital signature serves its purpose of helping SmartScreen recognizing that your files are signed. However, it does not mean that it will prevent users from SmartScreen warning, though sometimes it happens that it does not show any warning message till you’re signing your files and you’re identified as a publisher, but it’s not guaranteed that it will be same every time.

One way to avoid this situation is by releasing some freeware downloadable software signed by the same digital signature & users even tend to prefer free software compared to trial versions. Due to high downloads, your reputation will also increase, eventually helping you recognized more easily by Microsoft SmartScreen.

What does the error message "[You] do not own the corresponding private key" mean?

This error message is displayed when you visit a collection link in a different browser or a computer rather than the one you used for ordering. The private key part of the purchase order temporarily stored in the browser & it paired during certificate collection time to export it to a PFX file.

Another possibility is that you may be using a Google Chrome web browser if that’s the reason, send us an email with your transaction id, we will sort it out for you.

What is the order process for a Code Signing Certificate?
  1. If you’re new to our website, first create an account at CodeSigningStore.
  2. If you have an account, login into your CodeSigningStore Account. (Click here to Login)
  3. Select Product Page – Code Signing Certificates & choose from the brand you want to purchase.
  4. Select your desired Code Signing Certificate
  5. Depending on your requirement, select the Validity Period for which you wish to purchase Code Signing Certificate from 1, 2 or 3 years.
  6. Click on Add to cart.

Still need help? Send us a note!