Choosing a code signing certificate is among those tasks that are most critical if you’re in the business of software. If you develop and distribute any kind of software, it becomes your duty to validate its code using a code signing certificate because that is the foundation of all software security. All other security measures in its absence may fail to keep your software secure as pirates may create malicious copies of your software that steal user data, damage the devices of your customers, or do both. Therefore, your customers must have a way to ensure that the software they’re installing came from your organization only and its code has not been altered after you developed it. That’s what code signing certificates try to ensure.
Now the question is… how to find the right code signing certificate for your business. And that’s precisely what we’re going to answer here. We’ll take a look at 5 things you should consider while choosing a code signing certificate, and then we’ll also look at how you can get and use a certificate. Let’s begin!
5 Things to consider while choosing a code signing certificate
There are many things that should be considered before choosing a code signing certificate, but 5 of them are most important. Here we’ll take a look at those 5 only, which are more than enough to give you a certificate that’s best for your business:
#1. Participation in the Trusted Root Certificate Program
First of all, you need to ensure that the CA who’ll be issuing your code signing certificate is supported by Windows. Microsoft has authorized various CAs under its Trusted Root Certificate Program to ensure that the best security standards are followed by all CAs that issue code signing certificates, and also to enforce a seamless certificate validation experience in Windows. If the CA who issued your code signing certificate is not a part of this program, there’ll be troubles in the user experience. That’s why you should always get your certificate from a CA that is included in the Trusted Root Certificate Program.
Trust is one of the first things that should be kept in mind while purchasing anything related to cybersecurity. Whichever certificate you choose, you should ensure that it’s trusted across the world so your customers can have peace of mind while installing your software. There are many trusted brand names in the world of cybersecurity (i.e. Comodo, Thawte, VeriSign, etc.), and almost all of them sell code signing certificates. So even from the list of Trusted Root Certificate Program participants, you should choose a CA whose brand is strong and who is trusted by people worldwide.
All code signing certificates come with a validity period of 1 year – 3 years. Once that validity period has expired, the certificate becomes invalid, which means that neither you can use it to sign your code nor the code already signed with it remains protected because the certificate can’t be validated.
However, there’s a way to prevent it from happening. The timestamping feature of SSL certificates keeps your certificate valid even after it has expired because it adds a timestamp to your code at the time when you sign it. That way a third party (the OS in this case) can verify whether the certificate was valid or not at the time of signing the code. So you should ensure that your certificate vendor offers time stamping with your code signing certificate without any extra charges.
#4. Unlimited signing through one certificate
A few CAs impose limits on how many codes or executable files can be signed with certificates signed by them. This can become a major nuisance when you plan to update your software, or if yours is primarily a software business and you sell many different types of programs. So before purchasing your certificate ensure that it can be used to sign an unlimited number of codes and executables, so you don’t end up looking for a new certificate every now and then to sign your executable files.
#5. Value for money
Finally, keep your budget in mind. Certificates are provided by the CAs in different price ranges, and then resellers add their own commission to them so the final price offered by resellers becomes higher than the price range of CAs. After you’ve chosen a few certificate vendors based on the above-given criteria, it makes total sense to compare their offerings so you don’t end up spending too much on it and destroying your budget (especially if you’re in the initial days of your business).
How to get a code signing certificate?
Now when you know about the things that should be kept in mind while choosing a code signing certificate, you may be wondering how to get one. So here’s the process:
- Apply for your certificate: Buy the certificate from a CA of your choice. By now you might have zeroed-in on a CA from whom you want to purchase your certificate, now it’s time to go to their website and purchase your certificate. Each CA asks for some basic information about your business and yourself before issuing the certificate. Provide it, make the payment and you’ll be issued your certificate. We’re not going into the exact process, because it varies from vendor to vendor.
- Retrieve your certificate: Once you’ve applied for the certificate the CA will check and verify the details submitted by you. If found correct, the certificate will be issued. Then you can retrieve your certificate from the vendor. Retrieving it is easy, as you can do it by logging into your account with the certificate vendor. However, keep in mind that you need to use the same computer and browser to retrieve your certificate.
- Install your certificate: Now when you’ve got your certificate, you need to install it on your Keystore or keychain (depending on whether you’re using Windows or Mac). Generally, your certificate vendor sends you an email with instructions about how to do that. Follow the instructions laid out in it and you’ll have your code signing certificate installed on your computer.
So that was a brief introduction about everything that you should know about code signing certificates. We covered the various factors that you should consider before purchasing one, we covered how can you get one, and then finally we also gave you links to detailed instructions about how can you use your certificate to sign your code in different Integrated Development Environments (IDEs). Hopefully, we were able to answer all your questions. If you still have any questions, feel free to shoot them in the comments and we’ll try our best to answer them at the earliest.