renew code signing cert for Windows
Due to StartCom's validility being questioned (at least in Browser), look for alternatives. (current cert is valid until end of May 2018)
Note: We only needed an Extended Validility cert from StartCom, because their regular code-signing cert didn't support the corresponding flag in the cert.
As we don't do hardware drivers or kernel modules, we're fine with an Authenticode/Multi Purpose certificate.
The typical vendors come to mind:
Thawte, Symantec/Verisign, DigiCert
Price is around 200-250USD/year, depending on validation period (up to three years)
has a small (and slightly outdated) comparison, also includes GoDaddy
Other vendors are GlobalSign and Comodo.
#2 Updated by Christian Lohmaier over 1 year ago
Symantec messed up just recently, issuing a bunch of testcertificates second strike for them, so leaning towards digiCert at the moment.
#3 Updated by Florian Effenberger over 1 year ago
Is digicert the way to go now, shall I proceed with them, or do you do further research?
#5 Updated by Christian Lohmaier over 1 year ago
go with digicert I'd say. I'll create corresponding certificate signing request after reading their fine print
#6 Updated by Christian Lohmaier over 1 year ago
- File cert_request_2017.req.asc cert_request_2017.req.asc added
- Assignee changed from Christian Lohmaier to Florian Effenberger
(and of course with "Enhanced Key Usage: Code Signing" and no Lifetime Signing (i.e. valid after cert expires). Also added Time Stamping and Microsoft Time Stamping like with the StartCom one in the past, sha256RSA, 4096bit keysize)
reassing to floeff for the digicert paperwork)
#8 Updated by Florian Effenberger about 1 year ago
- Status changed from New to In Progress
Sorry, didn't get a hand on it before my vacation, will look into things afterwards
#9 Updated by Florian Effenberger about 1 year ago
- Assignee changed from Florian Effenberger to Christian Lohmaier
Kicked the process off, but had no option to upload the CSR so far
Right now validation is taking process
I'm listed as contact for the administrative purposes, you are listed as technical contact who will also receive the certificate
#11 Updated by Florian Effenberger about 1 year ago
- Due date set to 2018-08-01
- Status changed from Closed to In Progress
- Target version changed from Q2/2017 to Recurring
Certificate expires August 2018
#12 Updated by Christian Lohmaier about 1 year ago
- Subject changed from get new code signing cert for Windows to renew code signing cert for Windows
- Status changed from In Progress to New
- Start date set to 2018-05-01
three month advance notice is enough I'd say
#13 Updated by Florian Effenberger 5 months ago
- Due date changed from 2018-08-01 to 2018-05-01
- Start date deleted (
Agreed - but to make it better visible, let's set due date to May 1, so we can have it in the ticket list accordingly
Start date is only shown in ticket details and not relevant for sorting ;-)
#14 Updated by Florian Effenberger 2 months ago
Cloph, can you have a look at the formalities over the next days? I.e. what is required from my side wrt. proof and how to handle things with the private key. If we can recreate the private key, that IMHO can't hurt, but final call is yours of course
#16 Updated by Christian Lohmaier 14 days ago
for future reference: no new CSR is needed, hitting renew cert button and having payment details ready is all that's needed. After processing we get a link to install the cert into browser / export it from there to add to windows.
No problems observed with the renewed cert/also already distributed to Xisco, so sleeping til next year.