Code Signing Best Practices
Download this Code Signing Best Practices guide to improve your software and supply chain security.
Has your code signing certificate expired because you forgot to renew it? You’re not alone. In fact, 81% of organizations interviewed by Keyfactor experienced one or more expired certificates within the last 24 months. And with the use of PKI growing dramatically, like in the case of the M&T Bank which went from 2,000 certificates to more than 350,000, businesses are really struggling to keep their cryptographic resources under control.
Software is increasingly becoming the driving engine behind many businesses. As software supply chain attacks skyrocket, the pressure to secure those supply chains is growing by the day.
But what does an expired code signing certificate really mean for an organization? What are the consequences your business may face? And why do code signing certificates expire anyway? Explore the answers to these questions and more. Follow us down the rabbit hole of the expired code signing certificates!
This is the question a PKI admin asks when something like this suddenly happens. When it does, they instantly know that it’s going to be a bad day. Does it sound familiar?
I remember that Friday pretty well. Of course, these things usually happen on a Friday afternoon when everybody is ready to go home and can’t wait to enjoy the weekend. We were at the end of an important project — a brand new app we’d built was supposed to go live the following week and everything, as far as we know, was ready. The developers just had to sign the app. That’s when disaster struck: the code signing certificate expired the week before and no one noticed.
How could it happen? To cut things short, our PKI admin simply missed the certificate expiring warning emails sent by the issuing certificate authority (CA). When you receive hundreds of emails daily and rely on those to help you manually manage more than 4,000 certificates, missing an email is easy. And if you don’t have a proper certificate management processes, policies, and tools in place, it’s just an accident waiting to happen.
So, why can’t we just have lifelong code signing certificates that never expire? You buy them once and then forget about them. That would make things so much simpler! Yes, it certainly would from a certificate management perspective. But it also makes attacks easier for cybercriminals. Why?
What do you think? Aren’t these three very good reasons why code signing certificates should expire? I think so, even if the consequences of an expired signing certificate sometimes can be rough. Let’s go deeper down the rabbit hole and find out what this could mean for your organization.
The answer is nothing good. When you open your fridge and find out that the only container of yogurt left expired, it may be disappointing but it isn’t a big deal. If you eat it anyway, it may just upset your tummy. If you throw it away, you’ll just have to spend a couple of dollars to buy a new one.
When a code signing certificate expires, things aren’t so simple; the consequences your organization may suffer could be much more serious. The news is full of examples, like the most recent one, when a group of hackers called Lapsus$, managed to get hold of two Nvidia’s expired certificates and used them to sign malware. Hold on, they shouldn’t be able to sign new codes with an expired certificate, correct? Not quite. In fact, Windows still allows using them to sign some drivers. This creates a good opportunity for attackers to exploit this loophole.
Talking about money, the picture looks even darker. Venafi and Air Worldwide Corporation have estimated the global losses due to poorly protected machine identities (including PKI certificates) range between $51.5 and $71.9 billion. No wonder PKI admins are so stressed out when even one certificate expires!
But is it always so critical when a certificate expires? And how bad can it be if you don’t renew it on time? This is what we’re going to find out next.
In addition to the examples we’ve just mentioned, there are many other ways an expired code signing certificate may impact your organization. Among them:
Does this list answer the question about the risks your organization could face with an expired signing certificate? I hope it does. But, before we move on to discover what you’ll have to do to get out of this mess, I also want to talk briefly about timestamping. Why? Because I know that some of you may ask:
Timestamping is a workaround that benefits you when your code signing certificate expires. ‘Workaround’ pronounced ˈwərk-ə-ˌrau̇nd. A plan or method to circumvent a problem (as in computer software) without eliminating it. Merriam-Webster dictionary. This is because time stamping allows you to attach the exact moment when you digitally signed your code. This enables your software to be trusted by browsers and operating systems well after the certificate has expired.
This is exactly what timestamping is in case of an expired code signing certificate. Don’t get me wrong, timestamping is indeed a vital part of a secure code signing process and it shouldn’t be omitted. However, when a certificate expires, it allows the software you signed while the certificate was still valid to be trusted well beyond the life of the certificate. This means that users won’t see the ugly warning messages they’d otherwise see when your certificate expires.
Time stamping doesn’t change anything regarding signing new software with an expired certificate; it only allows you to prove that your certificate was still valid at the time of signing.
Got it? Timestamping can be a precious ally for a PKI administrator. It can keep you out of trouble until you don’t have to sign new software, or until you have renewed the certificate. Be careful, though, timestamping is a useful tool, but it isn’t the panacea for all expired code signing certificate ills.
As a matter of fact, there isn’t a magic bullet for an expired code signing certificate. Either you renew it before its expiration date or you deal with the repercussions once it’s expired. So, how can you deal with it before it becomes an issue? Let me show you the best ways to do it step by step.
When your code signing certificate has already expired the only way to fix the issue is to buy a new one. This means that you’ll have to go through the whole process you followed the first time you bought it. And, depending on the certificate, it might take some time. What are the steps to follow?
Expired Code Signing Certificate – How to Re-Purchase It | Expiring Code Signing Certificate – How to Renew It |
---|---|
1. Purchase a New Code Signing Certificate. | 1. Renew the Code Signing Certificate. |
2. Go Through the CA’s Full Validation Process. | 2. Go Through a Quick Verification. |
3. Get Your Certificate and Install It. | 3. Get Your Certificate and Install It. |
Prove Your Software Is Trustworthy
Signing your code shows users that your software and updates can be trusted.
Download our free code signing best practices eBook to learn how to help keep your supply chain secure and your company, customers & end-users safe.
Select the code signing certificate you need (i.e., extended validation [EV] code signing certificate or organization validation [OV] code signing certificate) and fill in the order form with the information required.
In some cases, after your order has been placed, you may have to generate and send a certificate signing request (CSR) to the CA. There are various methods you can follow to generate it:
On top of that, all OV code signing certificates purchased starting in mid-November (2022) will have to comply with the CA/Browser Forum’s (CA/B Forum) new requirements. We’ll speak more on that in a few moments.
Once your order is completed, the CA issuing the certificate will have to verify that your organization is legitimate and authenticate you. If you’ve chosen an EV certificate, the vetting process will take a bit longer as it involves a more rigorous background check. Curious about the process? Check out the following resources for additional information:
Validation completed? Great! The CA will send you an email with the installation instructions. Follow them and you’re done. Did you purchase an EV code signing certificate? In that case, you’ll also receive a USB hardware token that you’ll have to insert into your device to sign your software. Starting Nov. 15 (Nov. 14 if you’re located in North America), the OV code signing certificates and their private keys will have to be stored on a hardware security token.
There you have it. This is the re-purchasing process to follow if you find yourself with a code signing certificate that’s expired. Now you’re ready to start signing your codes again.
But what if your certificate is still valid for a few more days? Hurry up and start renewing it now! Why?
To start the renewal process:
Log in to the provider’s website where you bought your code signing certificate the first time. On the page listing the certificates you own, there should be a “Renew now” button (or something similar). Click on it and fill in the order form with the information required.
Do you own an OV code signing certificate and want to upgrade it to an EV? You can do that. Just select the certificate you want. Don’t forget, though:
Is it worth it? Generally, yes. When you re-purchase or renew an OV code signing certificate or an individual validation (IV) one, you’ll always have to spend time establishing or rebuilding its Microsoft SmartScreen reputation. Therefore, when you renew your code signing certificate, you may want to spend some time carefully evaluating your options.
Last but not least, if you’re required to send a CSR, you can use the one you generated to place your first order or create a new one.
The CA will perform a quick cross-check verification to confirm that your organization is still legitimate and that the information is still valid. In case anything has changed, you may be requested to provide new documentation.
The CA will issue the new certificate. To continue signing your software, make sure you install it as instructed in the email received from the CA.
That was easy and painless, right? By the way, did you know that even if you start the renewal process 90 days before the expiration date, the remaining time on the old certificate will be added to the new certificate? That’s great, right? So, next time, don’t wait till the last minute to renew your certificate. Because the early bird gets the worm!
Code signing certificates don’t last forever. They have a maximum life span of three years; then they expire. And when they do, the consequences can have a heavy toll on your business (and for your customers as well if your certificates’ private keys fall into the wrong hands).
In the best-case scenario:
But it can get worse if attackers manage to replace your executable with malicious software and get it out to the public. This means that customers will no longer trust you and your brand and reputation are likely to take a significant hit.
From now on, make sure you renew your code signing certificates well before their expiry date by following certificate management best practices. It’ll save you a lot of hard work, sleepless nights, and money in the long run. Show your customers you’re serious about security by demonstrating that your codes and organizational identity are valid and protected at all times. What will you get in return? Peace of mind, your customers’ trust, and, perhaps, their returning business.