How to Renew Code Signing Certificate
Code Signing Certificate – Step-By-Step Renewal Guide
Are you a software developer who has purchased a code signing certificate for signing a software? Has the code signing certificate that you purchased expired? If yes, that’s nothing to worry about. No matter from whom you purchased or what certificate you purchased, whether it’s Standard or EV Code Signing Certificate, they come with a specific validity period. The good news is that it’s easy to renew a code signing certificate.
Once Your Code Signing Certificate Expires
Similar to SSL/TLS certificates and other x.509 certificates, code signing certificates don’t have an infinite validity period. They come with a specific time period: one, two, or three years. Once the certificate surpasses its time period, it expires and can no longer be used for signing any new software, apps, or other executable files.
If you timestamped your software when you originally signed it, the signature will be valid indefinitely. If you didn’t timestamp your software, you’ll find that:
- The software is no longer be trusted, and Microsoft SmartScreen will show a warning message.
- Instead of your name, your software will display an unknown publisher.
- You may see a loss in revenue if customers stop installing due to warning messages
- It may take a few days for the issuance of another certificate, so you won’t be capable of signing and publishing your software for around a week.
However, the renewal of a code signing certificate before it expires is an easy solution. In other words, simply re-purchase your code-signing certificate from the same certificate authority you purchased earlier, or else you can even switch to another Certificate Authority.
Step-by-step Guide to Renew Code Signing Certificate
1. Generate a New CSR
If you’re renewing your Code Signing Certificate from the same provider from whom you purchased earlier, then there’s no need to generate a new CSR, but:
- Usually, it’s suggested to generate a new CSR to create a new key pair for maximum security. (New CSR can be submitted for any platform).
- If your platform is Sun Java, then it’s mandatory to submit a new CSR.
- If you’re installing an EV code signing certificate on HSM or renewing it, new CSR will be required.
2. Validate Your Certificate
The validation process lets the issuing certificate authority verify the legitimacy of your organization. It allows them to confirm that you’re a legal entity and give assurance to your clients that it’s safe to use your software.
However, if you’re renewing your code signing certificate, then you may not have to go through the entire process all over again. Still, if your certificate is expired or you’ve chosen any other certificate authority, then you’ll need to follow the entire validation process.
Download, Install & Start Signing With Your Renewed Code Signing Certificate
Now, the important part: just because your code signing certificate is successfully renewed, your job is not done yet. Your CA still has to issue the new certificate. And, once it gets issued, you’ll need to install that new certificate on your computer and then you can use it when signing your software. You won’t be able to use your old certificate anymore, as the signature would be invalid.
You’ll usually get your certificate via an email from your code signing certificate provider. (Unless you ordered an EV certificate, then it will be shipping to your address.) Follow the instructions provided in the email. It’ll allow you to download your code signing certificate. And once your certificate is downloaded and installed on your computer, you can start signing your apps, software, and other executable files.
If you want to check whether your code signing certificate has been installed correctly on your computer, go through the steps mentioned in this article: How to Verify Code Signing Certificates in Popular Web Browsers.