One of the features introduced with Silverlight 4 was the out-of-browser feature, enabling you to create an application that can be installed, run offline, automatically updated, etc. As a part of that feature, some of the major code signing certificate vendors (for Authenticode certs) provided our team with test certificates so that we could go through the same process as a developer would to acquire the cert and apply it to an app…and, of course, validate it works.
During that time some of those vendors had promotional codes for the first year for Silverlight developers, providing reduced-rate (but not reduced quality) code-signing certificates for their apps. Still during this time there were a lot that questioned why some providers were still expensive and didn’t value “the little guy.” By that I mean that there are a lot of smaller firms or independent personal developers. The thought of dropping a few hundred dollars on a cert is sometimes tough.
Last week a representative contacted me about their offerings as a premier partner of one of those providers. Certs4less.com is now offering Thawte code-signing certificates for individual developers. They are doing this at a price of $99 per year (less for multi-year).
NOTE: As a part of this, like before with SL4, Certs4Less graciously offered a promotional cert for me to validate the end-to-end process so that I could speak accurately about it. I do not use any of these certs provided by these companies for testing purpose toward any production application and they are for testing purposes only. Besides, I’ve not found the time to write production code for apps lately ;-). I am not getting paid for this post, nor am I getting another promo code for personal use myself. I am simply providing what I think is valuable information and get no compensation from Thawte or Certs4Less.
I went through the process of obtaining this cert from Certs4Less.com and it produced exactly what you’d expect, a valid Authenticode code-signing certificate I can use for my Silverlight and Windows 8 application packages! I shared a few points of feedback with the contact there and will enumerate them here for you as well (as well as some tips)
Your ‘Common Name’
Think about this one pretty good when you buy a cert. This has a two-fold purpose why I mention this. First, it is what your customers will see. Do you want them to see an app signed by a name that isn’t recognizable or doesn’t make sense…of course not. Additionally this is the name that will be verified. So if you claim you work for Fizbin Enterprises, but that doesn’t actually exist…you’ll have issues during verification.
One year, 2 or more
One thing you should know about code-signing certificates is that once they expire, the keys change during renewal. In some cases this can cause issues for your app (ClickOnce). For this reason I personally recommend getting the longest you can afford. Most likely this will be a wise investment and you’ll have piece of mind.
Apply on the computer you will receive it
One thing we as developers don’t do well is read directions. One of the instructions you’ll see is to be sure that you do the cert request process from the same machine you plan on picking up the cert from! Seriously, this is critical if you use the browser process because of the private key. If you don’t…you’ll be screwed and out some cash. Plan ahead and don’t do this while on vacation on your laptop that you repave weekly.
This is an area where I think I had the most negative feedback. These verification steps are a bit old. I understand they have their reasons, but in this digital age the fact that I had to find a notary was…well, just inconvenient. This Certs4Less/Thawte process required me to do this. The ‘form’ they emailed me really wasn’t a form…just an email with text broken out with ‘==========================’ before each section. So when I brought in my printed out GMail ‘form’ to the Notary he looked at me like I was an idiot. The verification form was nothing formal looking at all and I had to have 3 different people look at it before they finally just said ‘okay’ and signed it.
The thing that was most troublesome in this process was it was a distractor. I had to actually print stuff out, find a passport, go to a bank, wait in line…you know, real people stuff. But still, it felt annoying in this modern age.
Some of my other process with other vendors have been a lot more streamlined and I think this can/should improve.
Acquiring the certificate
Most of the time this is a quick process. Remember when I mentioned that developers don’t read instructions? Yeah, I’m no different. The final email I got indicating my cert had instructions that I didn’t read that talked about making sure I had intermediate certificates installed first. Without this I got ambiguous errors when trying to retrieve my certificate. Be sure to read any verification instructions in detail to provide a good experience.
Back up/export your certificate
I don’t know about you but I’d probably use my cert in automated build processes, keep it on a share (perhaps a dropbox/Live/git location) so that I don’t have to only use my one machine to sign an app. One thing I highly recommend is after the key is installed is to use the certmgr.msc tool and export the certificate. When doing this be sure to export the all the key data as well as cert chain so that your resulting PFX file is portable. Then you can use it in your build process for Silverlight as described here in my previous blog post about that feature.
I want to thank Certs4Less for reaching out to the independent developer and providing a valuable product at an ‘independent developer’ price level. I appreciate them also reaching out to allow me to test the process to verify it is fairly painless and the result is what I expected.
Code-signing certificates are very valuable in many ways and I believe every developer should have one for their personal projects as well as their large ones.
Hope this helps!