What happens when a code signing certificate expires?

I am considering purchasing a code signing certificate from VeriSign or Thawte to sign an XBAP with. My question is this: What happens when that certificate expires? $299 and $599 are pretty hefty prices for 1-year/2-year cerificates, and if I have to deliver a newly signed build to my customers whenever my certificate expires, then I'll just deal with the hassle of creating my own certificate for now.

What I don't like about creating my own certificate is the difficulty in distributing it to all of the client machines that will be using my XBAP. My application will only ever be used on a LAN, so I suppose I could always use Windows Installer to install my home brewed certificate (although I'm unsure on how to do this - anyone have any ideas?).

This wouldn't really be a problem if I was delivering a partial trust application - but my application needs Web permissions, since it will be talking to WCF services, so it is in that grey area between partial trust and full trust, and without a certificate, I get that fun ole Trust Not Granted message when I try to load my XBAP.

Any ideas?

If you timestamp your code while the certificate is valid the effect is that your expired certificates are good.

From Thawte Code Signing Certificate FAQs:

How long can I use a Code Signing Certificate for?

• Code Signing Certificates are valid for 1 or 2 years depending on which life cycle you choose when you purchase the certificate. Please note: For Microsoft® Authenticode® (Multi-Purpose), you should also timestamp your signed code to avoid your code expiring when your certificate expires.

Is timestamped code valid after a Code Signing Certificate expires?

• Microsoft® Authenticode® (Multi-Purpose) allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.

Watch out for certificates with WTD_LIFETIME_SIGNING_FLAG set: It means (despite what you mind assume from the name) that a program signed with the certificate is invalid after the certificate expires, even though the program hasn’t changed, and the certificate was valid when it was signed.

This also affects updates, in that even if the customer checks the box to trust all programs from your company, if your update program isn't signed with the same cert (or that cert expires) then the trust fails.

From: http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx

---

Timestamp Processing with Lifetime Signing Semantics

Applications or certification authorities that do not want timestamped signatures to verify successfully for an indefinite period of time have two options:

• Set the lifetime signer OID in the publisher’s signing certificate.

If the publisher’s signing certificate contains the lifetime signer OID in addition to the PKIX code signing OID, the signature becomes invalid when the publisher’s signing certificate expires, even if the signature is timestamped. The lifetime signer OID is defined as follows:

szOID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13

• Set the WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure when calling WinVerifyTrust.

If a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure and the publisher’s signing certificate has expired, WinVerifyTrust reports the signature as invalid even if the signature is timestamped.

If a publisher revokes a code signing certificate that contains the lifetime signer OID or a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure, WinVerifyTrust reports the signature as valid if both of the following conditions are met:

• The signature was timestamped before the revocation date.

• The signing certificate is still within its validity period. After the validity period expires, the signature becomes invalid.

---

For Example: https://forum.startcom.org/viewtopic.php?f=15&t=2215&p=6827&hilit=lifetime+signing#p6827

That is a serious problem with StartSSL certificates. It doesn't surprise me that there are limitations in a certificate that cost so little, but burying this limitation in the fine print or in an old forum post instead of making it clear in the product description is poor business. They may fix it in the future, and others may or may not have the same limitation so an email to check before you spend might be wise.

Guess who didn't know to ask? LOL... oh well, live and learn.

If you make sure to add a time stamp when signing binaries, you won't have to re-sign them when the certificate expires. Just add "/t http://timestamp.verisign.com/scripts/timstamp.dll" to the command line of signtool and the digital signature will always be marked as valid unless the certificate is revoked and the CA is trusted.

The reason code signing certificates are so expensive is that someone has to verify that you are who you say you are. In my case they verified the address and phone number, and phoned me up. Comodo's certificates appear to be slightly cheaper though.

What you should do if you plan to use it in a closed (LAN) environment is to setup your own CA. Windows Server versions include easy to use Certification Authority but even easier is to setup a minimal CA by means of the demoCA provided by openssl, which consists of several scripts. You can run openssl demoCA in Cygwin on Windows or natively. This demoCA consists of several perl/bash scripts that call openssl commands to generate requests, sign certificates/crls, etc.

When you have your own CA what you need to install is your CA root certificate so there will be no more hassles to update user certificates since the CA certificate will stay the same. Typically a CA certificate should last for 5-10 years, but you can configure as much as you want (remember that it is your own CA).

The CA certificate will be installed on every client machine. If your application trusts Windows System security it should be installed on IExplorer Certificate Authorities keystore. If you use a Java Application then you should distribute the CA certificate inside the Java keystore you use.

Just had this problem. I found in this article the explanation and together with @BCran's answer I solved it. Summary:

• The certificate, by default, needs to be valid during validation (when the client opens the program, not during compile time)
• For the certificate to be valid forever, you need to sign the program using a TimeStamping server. That validates that you haven't changed your computer's time and used an old certificate. If you use a TimeStamping server, you won't need to resign your code every time.

This is how you would do it in VS.NET 2017 for example:

If the URL doesn't work, you can use any service, here are a bunch of URLs that work: https://stackoverflow.com/a/9714864/72350

BEWARE WINDOWS DEFENDER.

You never want your cert to expire, or as long as possible, which seems to be 10 years.

Once your cert expires, windows will not recognize a replacement cert as such. Your applications goes to the end of the queue, as if it was signed by a completely different organization.

This means that users will get nasty messages if they download, and may not be able to run your code at all depending upon group policies. This will continue until a large number of different people have ignored the dire warnings and installed your software.

Sure, a timestamp server will enable existing programs to run after the cert expires, but upgrades will be a problem.

This is not an issue for locally used software, but a big issue if you want to distribute your software widely.

BCran wrote: "The reason code signing certificates are so expensive is that someone has to verify that you are who you say you are."

Call me stupid, but has anyone thought of the idea that developers can do their own calculating of the exact size of their executable apps at time of being built and whether or not to include a developer's identity with the calculated number, insert the hash number in encrypted form with the app, and decide whether or not to time-limit the app or make it work in perpetuity (since the executable code already on a user's machine is unlikely to deteriorate or change on its own after 1, 3, 5, 10 , 100, 1 million years)?

Furthermore, it doesn't make any difference if someone can verify your phone number and/or address. Those things can change very easily if a developer chooses, but not the app's code.

Advantage: It costs nothing to the developer to perform this task. At the same time, users can still be assured of a valid and safe app for as long as they wish to use it (or allowed to use it by the developer) and the app remains untampered with. Or must the big players, such as Apple and Microsoft and certificate issuers, cajole developers into accepting to pay continuously for this service?

NOTE: My naive and original understanding of a code-signed app is to prevent tampering of the app's code by anyone. But the more I look at this, it looks more like it is an opportunity for third-party individuals and organisations to make money off of developers, from the rich and not so rich. Okay, someone has to do the work of trying to find out you are who you are. But the vast differences in prices I see across the internet for this service and so much emphasis on 1 or 3 year periods with no option of a perpetual lifetime signed app suggests that we have people out there with very expensive offices in the city to pay their rent and their hefty salaries.

Why don't developers demand the type of security solution from Apple and Microsoft that is far friendlier on the developers' pockets and just as secure and safe for the users? Or else give the exact size in bytes of the final installer file on the developer's web site at time of download and users can check. Any extra or loss of bytes from what's stated should be enough to tell users there is a problem. Force developers to have their own web site so everyone can see who they are and where to get a legitimate and untampered copy of the software and put an end to software download sites grabbing copies of the developer software to download from their sites. Everything should be done from the developer's site and no where else.

Code signing certs are not "managed" meaning they do not update themselves... chances are you have to purchase a new one once it expires.

You can set up a Certification Authority (CA) - stick with a windows-based CA if you're a windows-only shop but otherwise I'd recommend Linux with something like DogTag Certificate System.

Note that if you create your own CA, you'll need to export the public CA cert and install that (so it's trusted as a root CA) on any server that will run code/scripts signed by a code-signing cert issued by that CA. This is far, far cheaper (free?) compared to paying for a cert every X years - not to mention the other certs you could issue for various reasons/uses!