×

First time here?

You are looking at the most recent posts. You may also want to check out older archives. Please leave a comment, ask a question and consider subscribing to the latest posts via RSS or email. Thank you for visiting!

One of the features introduced with Silverlight 4 was the out-of-browser feature, enabling you to create an application that can be installed, run offline, automatically updated, etc.  As a part of that feature, some of the major code signing certificate vendors (for Authenticode certs) provided our team with test certificates so that we could go through the same process as a developer would to acquire the cert and apply it to an app…and, of course, validate it works.

During that time some of those vendors had promotional codes for the first year for Silverlight developers, providing reduced-rate (but not reduced quality) code-signing certificates for their apps.  Still during this time there were a lot that questioned why some providers were still expensive and didn’t value “the little guy.”  By that I mean that there are a lot of smaller firms or independent personal developers.  The thought of dropping a few hundred dollars on a cert is sometimes tough.

Last week a representative contacted me about their offerings as a premier partner of one of those providers.  Certs4less.com is now offering Thawte code-signing certificates for individual developers.  They are doing this at a price of $99 per year (less for multi-year). 

NOTE: As a part of this, like before with SL4, Certs4Less graciously offered a promotional cert for me to validate the end-to-end process so that I could speak accurately about it.  I do not use any of these certs provided by these companies for testing purpose toward any production application and they are for testing purposes only.  Besides, I’ve not found the time to write production code for apps lately ;-).  I am not getting paid for this post, nor am I getting another promo code for personal use myself.  I am simply providing what I think is valuable information and get no compensation from Thawte or Certs4Less.

I went through the process of obtaining this cert from Certs4Less.com and it produced exactly what you’d expect, a valid Authenticode code-signing certificate I can use for my Silverlight and Windows 8 application packages!  I shared a few points of feedback with the contact there and will enumerate them here for you as well (as well as some tips)

Your ‘Common Name’

Think about this one pretty good when you buy a cert.  This has a two-fold purpose why I mention this.  First, it is what your customers will see.  Do you want them to see an app signed by a name that isn’t recognizable or doesn’t make sense…of course not.  Additionally this is the name that will be verified.  So if you claim you work for Fizbin Enterprises, but that doesn’t actually exist…you’ll have issues during verification.

One year, 2 or more

One thing you should know about code-signing certificates is that once they expire, the keys change during renewal.  In some cases this can cause issues for your app (ClickOnce).  For this reason I personally recommend getting the longest you can afford.  Most likely this will be a wise investment and you’ll have piece of mind.

Apply on the computer you will receive it

One thing we as developers don’t do well is read directions.  One of the instructions you’ll see is to be sure that you do the cert request process from the same machine you plan on picking up the cert from!  Seriously, this is critical if you use the browser process because of the private key.  If you don’t…you’ll be screwed and out some cash.  Plan ahead and don’t do this while on vacation on your laptop that you repave weekly.

Verification Process

This is an area where I think I had the most negative feedback.  These verification steps are a bit old.  I understand they have their reasons, but in this digital age the fact that I had to find a notary was…well, just inconvenient.  This Certs4Less/Thawte process required me to do this.  The ‘form’ they emailed me really wasn’t a form…just an email with text broken out with ‘==========================’ before each section.  So when I brought in my printed out GMail ‘form’ to the Notary he looked at me like I was an idiot.  The verification form was nothing formal looking at all and I had to have 3 different people look at it before they finally just said ‘okay’ and signed it.

The thing that was most troublesome in this process was it was a distractor.  I had to actually print stuff out, find a passport, go to a bank, wait in line…you know, real people stuff.  But still, it felt annoying in this modern age.

Some of my other process with other vendors have been a lot more streamlined and I think this can/should improve.

Acquiring the certificate

Most of the time this is a quick process.  Remember when I mentioned that developers don’t read instructions?  Yeah, I’m no different.  The final email I got indicating my cert had instructions that I didn’t read that talked about making sure I had intermediate certificates installed first.  Without this I got ambiguous errors when trying to retrieve my certificate.  Be sure to read any verification instructions in detail to provide a good experience.

Back up/export your certificate

I don’t know about you but I’d probably use my cert in automated build processes, keep it on a share (perhaps a dropbox/Live/git location) so that I don’t have to only use my one machine to sign an app.  One thing I highly recommend is after the key is installed is to use the certmgr.msc tool and export the certificate.  When doing this be sure to export the all the key data as well as cert chain so that your resulting PFX file is portable.  Then you can use it in your build process for Silverlight as described here in my previous blog post about that feature.

Summary

I want to thank Certs4Less for reaching out to the independent developer and providing a valuable product at an ‘independent developer’ price level.  I appreciate them also reaching out to allow me to test the process to verify it is fairly painless and the result is what I expected.

Code-signing certificates are very valuable in many ways and I believe every developer should have one for their personal projects as well as their large ones.

Hope this helps!


This work is licensed under a Creative Commons Attribution By license.


12/13/2011 1:13 PM | # re: Code signing for the independent developer
Try Googling "openssl become your own CA", there's a jackpot of tutorials. I created a trusted code signing cert for free. Of course, you have to install the root CA for this to work.

If you don't like the version of OpenSSL for windows or Cygwin, Oracle VBox and a VM with something like Fedora or Open SuSE should do the trick.
12/13/2011 8:33 PM | # re: Code signing for the independent developer
Thanks Tim. I too have been frustrated at the expense of code signing certs. Particularly when SSL certs are much cheaper.

Aris : I am pretty sure you have missed the point. There are lots of ways to create a code signing cert, but that's of little use for a production app. The end-users would all have to manually trust the cert / ca.
12/14/2011 3:45 PM | # re: Code signing for the independent developer
I work on a number of open source projects, there are other developers on some of them and I am the sole developer on another.

Is this good for signing those or is there some free software code signing certs around for open source projects?
12/14/2011 6:14 PM | # re: Code signing for the independent developer
@joshua - Outside of the OpenSSL mentioned above I've not seen free code-signing certs for any project.
12/15/2011 12:02 AM | # re: Code signing for the independent developer
I agree, Code-signing certificates are very valuable in many ways and I believe every developer should have one for their personal projects as well as their large ones. I've been planning to create my own projects with code-signing certificates. I just want to try it. But first, I must study and download first "openssl become your own CA". I really want to learn it. Thanks for the great advice.
12/15/2011 9:28 AM | # re: Code signing for the independent developer
About the verification process, don't know if there is a better process - the developer (or it's company) have to prove it's real identity, so unless you go personally with your ID card / passport to the CA office, a recognized notary is the only way..
1/17/2013 8:50 PM | # re: Code signing for the independent developer
Anyone interested in code signing certificates could also look at startssl.com. They offer a two-year cert that I use for signing my code under Windows. The user interface on their website takes some getting used to, but it works and you can't beat the price!

 
Please add 6 and 4 and type the answer here:

DISCLAIMER:

The opinions/content expressed on this blog are provided "ASIS" with no warranties and are my own personal opinions/content (unless otherwise noted) and do not represent my employer's view in any way.