Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
Code signing certificates enable you to attach your verified digital identity to your software, code, and executables. But before you can use your code signing certificate, there’s an important step you can’t skip: merging your certificate and key files.
Don’t worry, this isn’t some long or strenuous process; it’s quite simple, really, and there are even automation tools that can help make things even easier. This article will quickly cover the process of combining your organization validation (OV) code signing certificate and private key using a free online converter tool.
There are several ways you can merge your certificate and key to create a new PFX (PKCS12) file. The one we’re focusing on here is using the SSLShopper.com converter tool. It’s an easy tool that makes converting your code signing certificates easy, and we’ll walk you through the process step by step below.
If you’re interested in learning how to convert your certificate using OpenSSL , then be sure to check back when we publish our guide on merging certificates and private keys using OpenSSL.
Certificates can come in multiple file types — .cer, .crt, .key, and .pem. Many certificates come as PEM files, so it’s typically recommended to go with the default option here. Whatever type of file you have that you wish to merge with your key, be sure to select that file in the second drop-down option as shown in the screenshot below:
For this step, simply select the type of file you want to convert your certificate to. Here, you’ll select PKCS#12.
Doing this will bring up a new set of certificate conversion options, as shown in the following screenshot:
It’s important to note that your selections of the type of current certificate and the type of certificate you want to convert it to will carry through into the new menu options. So, you’ll just make selections in the other fields on the form to continue the process.
In the top drop-down menu, press Choose File to browse for the certificate on your system.
Now’s the time to upload the cryptographic private key you want to merge with your digital certificate. You can do this by pressing Browse and navigating to that specific file on your device or server. If your private key is stored on your server, things will be a bit trickier and may require additional steps to track it down.
Adding a chain certificate (or certificates) isn’t technically required, so you can skip these selections if you want. However, if you have the corresponding chain certificate files available, then you’ll definitely want to add them here. Some certificate authorities include their associated chain certificate files when they issue your certificate.
Regardless of whether you add the chain certificates, you’ll definitely want to be sure to complete the next step…
Passwords are the gatekeepers of your code signing certificate’s security. This is why you need to choose a strong password (or, ideally, a passphrase — something akin to GlassesRaptorChristmasTr33 — that’s difficult to guess) to secure your PFX file. This way, anyone who tries to use your code signing certificate (and the digital identity it asserts) will have to enter the correct password to do so.
Simply enter your password in the bottom field of the form:
Okay, once you’ve made your selections, press the Convert Certificate button. Yep, that’s it! If you’ve done everything correctly, you should be able to download your new combined certificate and private key PFX file.
If this process triggers an error, it’s likely because the chain certificate files or the private key don’t match the certificate you want to convert. Check out our Support page and reach out to our customer Support team if you need assistance.
Prove Your Software Is Trustworthy
Signing your code shows users that your software and updates can be trusted.
Download our free code signing best practices eBook to learn how to help keep your supply chain secure and your company, customers & end-users safe.
Code signing certificates are crucial tools for developers and publishers to use if they want to secure their codes and protect their reputations. And while completing the aforementioned steps (i.e., merging your certificates with their respective keys) is essential to this process, it doesn’t mean your work is done.
Once you’ve got your PKCS12 file ready to go, you still need to install it on a secure device (such as a TPM) or a hardware security module (HSM) appliance to keep it safe. Always store your cryptographic keys using secure devices to keep them out of cybercriminals’ hands. Be sure to securely manage your certificates and keys following industry best practices.