Is your code signing certificate expired? Yeah, this is an issue for many developers and companies that handle certificate management tasks manually. Code signing certificates, like SSL/TLS and other x.509 digital certificates, don’t have an infinite lifespan. This means that they’re only valid for a set amount of time before they expire and can no longer be used.
Trying to keep up with every individual certificate for renewal, issuance, and revocation can be pain in the backside when you’re trying to manage a few dozen certificates. But when you’re an enterprise trying to manually manage these tasks at scale — for could involve thousands or hundreds of thousands of certificates — it’s easy to see how easy it would be for certificate expiries to fall through the cracks.
What Happens When Your Code Signing Certificate Expires
When a code signing certificate expires, unless you choose to timestamp your code, it means that any software or applications that have code signed by the certificate are no longer trusted by Microsoft SmartScreen, Google Safe Browsing, and antivirus programs. If you do choose to timestamp your code, even if the code signing certificate expires, your code will still be trusted indefinitely.
The bigger issue that companies run into is if their certificate expires and they want to sign new software. If this is your situation, it means that you’ll need to re-purchase, re-validate, and re-install your code signing certificate. However, again, you can simply avoid the re-validation process if you renew before your certificate expires.
What to Do When Your Code Signing Certificate Is Expired
Step One: Purchase or Renew Your Certificate
To renew your certificate before your expiration, just re-purchase it from the certificate authority (CA) you purchased it from originally. Or, if you want to work with another major CA, you can purchase a new certificate outright. However, this will require the CA validation process.
The three most popular code signing certificate authorities are:
- Comodo code signing certificate, which costs $69.17 per year.
- Thawte code signing certificate, which costs $116.67 per year.
- Symantec code signing certificate, which costs $327.00 per year.
Purchase a Code Signing Certificate from CheapSSLSecurity & Save Up to 59%!
We offer the best discount on x.509 digital certificates with SSL certificates starting as low as $69.17 per year.
After that, you’ll want your chosen CA to validate the certificate.
Step Two: Get Your Certificate Validated
The validation process allows the issuing certificate authority to verify whether you’re a legitimate organization. This allows them to authenticate you and, essentially, vouch for you to clients. Depending on the type of code signing certificate you choose, there are two levels of validation:
- Organization Validation (OV), and
- Individual Validation (IV).
Organization validation has four requirements:
- Organization validation: This can include the use of official registration documents, Dun & Bradstreet financial/credit report, or a legal opinion letter from an attorney.
- Locality presence: This means that the CA will need to verify that your organization has a physical presence in the country or state in which it’s registered.
- Telephone verification: The CA will verify that your organization has an active, valid phone number. This can be done through an online telephone directory, third-party directory, or a legal opinion letter.
- Final telephone verification: This step is pretty simple. The CA will call you or whoever ordered the certificate within your organization to confirm the details of your certificate order.
With the verification process complete, the final step is to install the new certificate.
Step Three: Install Your Code Signing Certificate
- Check your email for an installation link for the reissued or new code signing certificate.
- Open the link in your browser. This will allow the certificate to install in your certificate store or login keychain (depending on whether you’re using a Windows or Apple platform). You also have the option of exporting the code signing certificate as a .pfx file for Windows and a .p12 file for Mac.
- To create and install the code signing certificate, click Generate Certificate.
In a nutshell, you can renew your code signing certificate by following a few steps:
- Purchase a new certificate or renew your old one
- Get your certificate validated
- Install your code signing certificate
And remember, Verisign code signing certificates are now Symantec code signing certificates.
Want to verify that your code signing certificate is installed? Here are some additional steps you can follow to verify your code signing certificate installation.