Code Signing Best Practices
Download this Code Signing Best Practices guide to improve your software and supply chain security.
Digitalization has transformed our world and lives dramatically. In the last few years, we’ve seen a significant shift to online communications and transactions:
However, the internet wasn’t designed with security in mind. Cybercriminals know this and are exploiting this vulnerability to damage end users and businesses alike. This is why digital certificates play a key role in today’s digital world, building trust, facilitating interactions, protecting millions of connected devices and its users.
Bu what is a digital certificate? In this article, we will take you on a virtual journey in the world of PKI digital certificates. You will learn how they work, why and when you should use a digital certificate, and what kind of PKI digital certificates are available out there.
To prove your identity in the real world, you can show your passport, your government-issued ID card or driver’s license because they’re accepted forms of identification. In the digital world, websites don’t have passports or driving licenses, nor do software programs have ID cards. However, there is something very similar that can be used by everyone: the PKI digital certificate.
A digital certificate, also called public key infrastructure (PKI) certificate, is an electronic form of authentication and identification that comes in the form of a small file. It uses mathematical formulas to handle a variety of functions:
All of this is done through the use of asymmetric encryption, which involves the use of cryptographic key pairs (or what are commonly known as public and private keys). A public key (which is available to everyone) encrypts information, whereas a private key (which you keep secure) decrypts it.
Many digital certificates are issued by publicly trusted certificate authorities (CAs). Each certificate typically includes information about the key holder (i.e., name, public key and its expiration date), a digital signature, and the name of the CA that issued the certificate.
Digital certificates can also be created and managed locally by a private entity, or what’s known as a private CA. A typical example is when a company creates its own private digital certificates restricted to use internally within its organization and internal network(s).
Public certificates are used by the majority of people however, depending from the environment in which they’re utilized, there may be some occasions where private certificates may come in handy.
Public CA Certificates | Private CA Certificates | |
---|---|---|
Issued By | A publicly trusted certificate authority (such as DigiCert or Sectigo). | Your own local certificate authority (private CA). |
Issued To | Anyone who pays the fee. | System and users within your organization only. |
Uses and Applications | To secure data that transmits between clients and websites/web apps on public-facing servers. | To secure data on internal networks and devices connected to those networks. |
Pros | – The majority of applications, servers, and clients are already configured to recognize publicly trusted CAs. – Companies and users trust public CAs more than private ones. | – Increased security as you issue certificates only to trusted members of your organization. – Lower managing costs if issued for a high number of users for client authentication. |
Cons | High managing costs if issued for a high number of private users for client authentication. | – Time and resources invested. – These certificates don’t work on public-facing networks. |
Your best choice is to use a digital certificate from a public CA for applications that involve your public-facing servers and resources. It’s trusted automatically by the major browsers and operating systems and makes
If you are working within your own organization and users, using the more secure private digital certificate can be a cost-effective option. This will ensure that access to your private services will be restricted only to the members of your organization.
There are five main types of digital certificates that you can use for external or internal applications. Let’s see in more details the differences among them and their key features.
The SSL/TLS certificate, also known as a website security certificate, is installed on the server to ensure that the communications between the server (i.e., mail server, app, LDAP or web) and the client are secure and encrypted. For example, all websites with a URL starting with https (instead of http) are using SSL certificates.
There are many types of SSL certificates in terms of what they cover:
SSL/TLS certificates have three different validation levels, offering three distinctive levels of security and authentication:
These digital certificates not only certify that the website is encrypted, they also provide your users with more verified information about your organization. This increases trust, allowing the user to have a better idea of the level of safety of the website they’re visiting.
Let’s have a look to each of them and compare their features:
Domain Validation (DV) | Organizational Validation (OV) | Extended Validation (EV) | |
---|---|---|---|
Level of Authentication and Identity Validation | Low. Anyone can get it, even a malicious bot. | Moderate validation. Business certificate with nine validation checks. | Highest validation. Business certificate with a high number of validation checks. |
What It Validates | That you own or control the domain of the website for which you requested a certificate. | This basic business validation verifies you own or control the domain but also verifies additional information about your organization. | This extended business validation goes beyond what an OV certificate verifies to ensure that the certificate requestor is legitimate and so is their organization. |
Certificate Issuance Process | This is an automated process. The CA sends an email to the domain owner listed in the WHOIS database to confirm that the buyer is the legitimate owner of the URL. | The domain owner must provide to the CA up-to-date documentation proving that the company exists and that it’s a legitimate legal entity. The company will manually verify this information using a mix of provided and external resources. This is a process that can take 1-3 days. | The certificate can be issued only by a select number of CAs undergoing a yearly audit before being approved. The CA must follow strict procedures to validate the requesting company’s ownership, organizational information, physical location, legal existence, registration number. This is an extensive manual vetting process that can take several days. |
How Is It Visualized in The Browser? | You’ll see a padlock security icon in the browser near the URL bar. When clicking on the padlock near the URL, no additional organizational details are shown as this certificate validates only the domain. | You’ll see a padlock security icon in the browser near the URL bar. You can find additional validated company information within the SSL/TLS certificate subject details. | You’ll see a padlock security icon in the browser near the URL bar. When clicking on the padlock, you’ll see verified organizational information displayed there. You’ll see additional verified organization information in the certificate Subject details. |
What Websites Should Use It | Blogs, testing domains, personal websites. Basically, anything that doesn’t collect any type of personal information. | Small e-commerce websites, websites managing personal or sensitive information. This level of validation should be the minimum for websites that collect sensitive information. | Government sites, global brands, organizations, institutions. |
Different from the previously mentioned SSL certificates, software developers and publishers use code signing certificates to validate their software, executables, or other files by asserting their identity and providing file integrity assurance. Basically, a code signing certificate authenticates the publisher’s identity and confirms that the file or software it’s genuine and that hasn’t been tampered with. It’s especially useful for companies using third-party websites to distribute their software.
Like the TLS certificate, code signing certificates rely on using public and private keys. If you’re considering using a code signing certificate, there are two options to choose from:
If you want to know more about code signing certificates, check this article How Does a Code Signing Certificate Works?.
A document signing certificate enables you to digitally sign many types of files, including Microsoft Office and PDFs. This will allow you to ensure that your document won’t be changed when sent to another recipient. How?
Once you have received your certificate from a trusted CA, you just have to follow a few simple steps (depending on the software you use) to sign the document.
Once your digital signature is appended to the document, you can send it to your intended recipient. When the recipient receives the file, their software will automatically compare the signature with the one in your certificate. If they match, it means the document hasn’t been modified and the recipient can view it without any worries. If they don’t match, the recipient will receive a warning that the file could be dangerous or harmful.
Tip: The signing and warning processes may be slightly different from one software to the next. However, using a document signing certificate will always enable you and your recipients to immediately spot any unauthorized changes to your signed documents. Cool, isn’t it?
A client authentication certificate, also called digital ID, is used to restrict access to databases by ensuring only authorized users can log in to them. It uses PKI for authentication to verify the identity of a person or a device so they can establish a secure, encrypted connection to your web apps or other secure resources. It’s pretty popular nowadays, as remote access and cloud computing are quickly becoming the norm.
The IoT device certificate and PKI together play a key role in the ever-expanding worlds of IoT and IT security. They enable you to protect every connected device securing its authentication, data integrity and encryption from cybercriminals.
In addition, with the IoT device certificate, there is no need to use a password: once the device is registered as authorized by the IT admin, it connects to the network using the SSL/TLS protocol. The device can then identify itself and other devices through the public key, and exchange data.
Thanks to end-to-end encryption and rock-solid authentication, the IoT device certificate becomes part of your organization’s a multi-layer protection, ensuring hacker-proof secure communication between the IoT devices and the network, dramatically reducing data leaks and the risk of breaches.
Now that we know what PKI digital certificates are and how they work, we can move on to the next question.
In general, digital certificates are used to confirm the identity of people and electronic assets on the internet. They allow for secure, encrypted online communications and are often used to protect online transactions. The following are a few examples of the most common digital certificate use cases:
Secure, authenticated access: In a world where hackers are always trying to find new ways to steal credentials, a more secure authentication method like using a client authentication certificate in lieu of passwords can be a valuable solution. It’s safe and supported by all major browsers. It allows you to gain access to secure resources without ever having to enter a password. These certificates also can be stored or carried in physical hardware tokens and smart cards.
And we could continue but, there is still one unanswered question: why should it matter for me? And this is exactly what we’re going to find out next.
Digital certificates are a practical and valuable resource to protect your business and your users from cybercriminals, above all when taking into account the latest threats statistics.
The 2021 Midyear Cybersecurity Report shows that, only in the first six months this year, TrendMicro has identified and blocked more than 40 billion dangerous emails, malicious files, and URL threats. Can a PKI digital certificate help in these cases? In most of them, yes. But the benefits of digital certificates don’t stop here.
If you are an internet user, and I guess you are as you’re reading this article, you’re also a potential target for cybercriminals. The digital certificates can help you, but they can do much more than that!
Useful right? I guess you’re starting loving digital certificates now! But, what if you’re a business owner? What are the benefits for you?
Let’s have a look to how digital certificates can contribute to the success of your business in a competitive, dangerous, digital world.
In 2021, organizations experienced the highest average cost of data breach in 17 years, growing from $3.86 million to $4.24 million. Compromised credentials were responsible for 20% of the breaches as described by IBM’s Cost of a Data Breach Report 2021.
Digital certificates can help you secure your data online. Encrypting communications avoids that your sensitive information is phished or stolen. With the usage of SSL/TLS certificates, you can ensure that the data of the customers visiting your website are secure. And last but not least, managing and storing documents digitally eliminates the risk of physical documents being lost or destroyed.
Digital certificates are easy to manage and can guarantee a high level of security to small and large businesses alike. To make things even easier, there are now many solutions available to help you automatically manage the issuance, renewal and storage of your company’s digital certificates.
When sending files over the internet, a digital certificate allows you to validate the file’s author identity and, at the same time, ensure its integrity.
Norton’s 2021 Life Lock Cyber Safety Insights Report Global Results data found out that 62% of surveyed adults find it difficult to determine if the information they see online comes from a credible source.
And a survey made in 2019 by PandaSecurity on 1,000 people in the U.S. confirmed the importance of a secure URL (HTTPS) as a credibility factor when shopping online (chosen by a third of the surveyed people).
As we’ve seen earlier in this article, SSL/TLS digital certificates can help eliminate these doubts with your users and make your website more credible in their eyes. And other types of digital certificates can help you provide identity and integrity assurances regarding other areas of digital communications. More credibility will result in higher trust and increased revenue.
As mentioned before, a lack of identity verification can have disastrous consequences not only moneywise but also on your brand’s reputation. It just has to happen once. With digital certificates, you can:
All this will help you build customer trust.
Last but not least, digital certificates help you remain compliant with several key regulations, including:
These are just a few of the reasons why more and more organizations choose to use digital certificates. Let’s explore another growing area where using digital certificates can add to your security…
The number of IoT connected devices is constantly growing. A report from IOT Analytics forecasts that there will be more than 27 billion IoT device connections by 2025.
IoT implementations require:
All these requirements can be covered and addressed through the usage of digital certificates and the PKI infrastructure enabling secure authentication, encryption and code signing.
Hopefully, this article has answered your questions on digital certificates and has helped you better understand what a digital certificate is and why it’s so important for companies and users alike.
We’ve learned that companies that provide strong identity for their software can:
No matter who you are and what you do, digital certificates are the way to secure your activities in the digital world: unknown/untrusted sources are never safe!
We’ve now reached the end of our journey, but now you can start your own in the world of PKI digital certificates! A whole new secure internet world is waiting for you. What are you waiting for? Get your digital certificate now!