How Do I Create a Self-Signed Code Signing Certificate Through OpenSSL?

1 Star2 Stars3 Stars4 Stars5 Stars (11 votes, average: 10.36 out of 5)
Loading...

As a developer, you know the importance of signing your software or app. After all, the two main purposes for creating and using a certificate authority (CA)-backed code signing certificate are to:

  1. validate your organization’s identity, and
  2. protect the integrity of your software.

However, to try to cut corners on costs or use use it strictly for development and testing, you may get a wild hair and decide to create a code signing certificate that you sign yourself. Here’s why that can be a really, really bad idea.

Danger! Danger, Will Robinson: Why You Shouldn’t Create a Code Signing Certificate

When you try to self-sign a code signing certificate rather than using one signed by a certificate authority, you’re creating a litany of problems. After all, you’re trying to bypass having a trusted third party — a CA — vet you and issue a certificate that you can use to sign off on your code. So, why should the browsers or something like Microsoft SmartScreen trust you if you’re not giving them a reason to?

Simply put — they shouldn’t. Vouching for yourself is awfully shady because it looks like you can’t get validation from a third-party entity such as CA. You know, the entities that are trusted by virtually all of the major browsers. Creating a self-signed code signing certificate to “validate” your work is like trying to issue yourself a voting card, a driver’s license, or using yourself as a reference when applying for a job: It just doesn’t work, and no one’s going to trust it.

Graphic: Unknown publisher java code signing certificate error message

Still, regardless of our warnings, if you decide to try to self-sign a code signing certificate anyhow in OpenSSL, here’s the process:

How to Create a Self-Signed Code Signing Certificate in OpenSSL

Note: This process should only be done for the purpose of development/testing. It should never be used on a live, external-facing page as it will generate an error in the client browser warning them that the CA isn’t known or trusted.

Now that the warnings are out of the way, here’s how to create a code signing certificate in OpenSSL.

Generate a Code Signing Certificate via the New-SelfSignedCertificate-cmdlet

The first thing you’ll need to do is generate a code signing certificate in OpenSSL using Linux, PowerShell, Windows Command, etc. For this example, we’re going to use PowerShell’s New-SelfSignedCertificate-cmdlet.

When you have administrator rights, enter the following command:
$cert = New-SelfSignedCertificate -DNSName "Example Self-Signed Code Signing for Domain.com" -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject “Example Code Signing”

This will add your certificate to your certificate store.

But why go to all of this trouble and risk forgetting to add a CA-signed certificate when you know you’re going to need to get one anyhow when your product becomes external-facing?

Save yourself the headache and get a CA-signed code signing certificate.

CA-Signed Code Signing Certificates Aren’t as Cost-Prohibitive as You May Think

Code Signing certificates from reputable and trusted CAs aren’t as expensive as you may think. They’re actually quite reasonable when you purchase them from a place like CheapSSLSecurity.com. This is because we buy so many code signing certificates at once and have a sterling reputation with the CAs that they give us the certificates at cost when you’d have to pay the MSRP if you approached them directly.

Check out our code signing options from several major brands like Comodo CA, Sectigo, Thawte and Symantec.

Purchase a Code Signing Certificate from CheapSSLSecurity & Save Up to 59%!

We offer the best discount on code signing certificates starting as low as $69.17 per year.

Shop All Code Signing Certificate

What Is A Certificate Authority (CA)?