PDA

View Full Version : Comodo: renewing Code-Signing Certificate



NewsArchive
05-31-2012, 12:21 AM
Hi Friedrich,

3 Years ago we bought the Comodo Code-Signing Certificate (for 3 years).
I have one month left and I want to renew, again for a period of 3 years.

What are these days the steps I have to do?
In SB I use a PFX file with signtool.exe.

--
Best regards,
Jeffrey

NewsArchive
05-31-2012, 06:28 AM
Hi Jeffrey,

There is no "renew" process for a code-signing certificate. You always have
to request a new one and go through the entire process again (including
identity verification).

Just place a new order using the same company information and Comodo should
speed up the validation process. I would suggest to quote your previous
Comodo order number in any correspondence with them.

Last time I renewed, I followed this step-by-step guide:

http://www.lindersoft.com/CodeSign.pdf

If you make use of a PFX then you can request the certificate from a
UAC-aware operating system. The certificate will be installed to your
Internet Explorer certificate store and then you can export it.

Friedrich

NewsArchive
05-31-2012, 06:28 AM
Hi Friedrich,

> If you make use of a PFX then you can request the certificate from
> a UAC-aware operating system. The certificate will be installed to
> your Internet Explorer certificate store and then you can export it.

So renewing from my Win7 (64-bit) pc with IE8 should not be a problem?
(3 Years ago I renewed from a WinXP machine.)

Best regards,
Jeffrey

NewsArchive
05-31-2012, 06:29 AM
Jeffrey,

I just went through the "renewal" process this month. You still have to
order it from an XP machine (or XP VM) for the same reasons as before
(see Jane Fleming's article).

This time the process seemed easier, but yes, I got another 3 years
myself. Doing this exercise once per year is unthinkable, I already do
with the IRS anyway <bg>

--

Russ Eggen
RADFusion International, LLC

NewsArchive
05-31-2012, 07:03 AM
Thanks Russ!

I have WinXP under VirtualBox (with C6.3) and will use IE8.
IE8 is ok?

Best regards,
Jeffrey

NewsArchive
05-31-2012, 01:45 PM
To be honest, I never noticed which version (and I'm not going to spend
10 minutes firing up the VM to find out <g>).

The key point is that you should have an option to save to file (radio
button option if memory serves). If you don't see that - STOP! Jane's
write up shows the contrast. I believe that option only shows on XP
based machines.

Also, you can only pick up the certificate on the machine that ordered it.

--

Russ Eggen
RADFusion International, LLC

NewsArchive
05-31-2012, 01:45 PM
Hi Jeffrey,

> So renewing from my Win7 (64-bit) pc with IE8 should not be a problem?
> (3 Years ago I renewed from a WinXP machine.)

If you order via Win7 then your certificate will go directly into the IE
certificate store and you have to export it to a .PFX. Because of UAC and
missing components, the "In the file" option is not available on modern
operating systems (Vista, Win7, Win8).

I would suggest to use XP (e.g. in a VM) because this gives more control.
IE8 should not be a problem, but make sure that you have set security
settings not too high.

Friedrich

NewsArchive
06-02-2012, 03:15 AM
Am 31.05.2012, 15:14 Uhr, schrieb Friedrich Linder

> IE8 should not be a problem, but make sure that you have set security
> settings not too high.

.... and we talk about code-signing ..... <ooooomph>



--
Wolfgang Orth

www.odata.de
www.kik-service.de

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It's five o'clock somewhere.....




Written with Operas News-/ Mailclient: http://www.opera.com/mail/

NewsArchive
06-05-2012, 12:32 AM
> Hi Jeffrey,
>
> There is no "renew" process for a code-signing certificate. You always have
> to request a new one and go through the entire process again (including
> identity verification).

Jeffrey,

In addition to all the fine advice given by Friedrich and others, you can
download the CHM tutorial of App Data UAC Safe at this location - extra
"what to look for pre, during and post ordering" advice in the Code Sign -
Order Process and Signtool.exe help topics.

Product Description - App Data UAC Safe, MFG - Encourager Software
Internet Link - http://www.encouragersoftware.com/software-developers.html

David

--
From David Troxell - Product Scope 7.9 - Encourager Software
Product Description - App Data UAC Safe, MFG - Encourager Software
Internet Link - http://www.encouragersoftware.com/software-developers.html

NewsArchive
06-05-2012, 03:02 AM
Hi David,

Thanks a lot!
A great and very clear document!

Best regards,
Jeffrey

NewsArchive
06-06-2012, 12:28 AM
> Hi David,
>
> Thanks a lot!
> A great and very clear document!

Jeffrey,

You're welcome!

Note - a lot of what I have documented in these help topics comes from
critical ground work laid primarily by Jane Fleming and Friedrich Linder -
two of the most seasoned experts when talking about Code Signing!

AND with - SetupBuilder 7.7 Build 3705 - we now get:

Code Signing Certificate Expiration Date: - everytime we compile.

Just another value added (much appreciated) feature in the Lindersoft
Setupbuilder world!

David

--
From David Troxell - Product Scope 7.9 - Encourager Software
Product Description - App Data UAC Safe, MFG - Encourager Software
Internet Link - http://www.encouragersoftware.com/software-developers.html

NewsArchive
06-06-2012, 01:15 AM
Hi David,

Thanks.
Yesterday I renewed my 3 years Code Signing Certificate succesfully.

Best regards,
Jeffrey

NewsArchive
06-06-2012, 01:15 AM
> Yesterday I renewed my 3 years Code Signing Certificate succesfully.

COOL! Congratulations :-)

Friedrich

NewsArchive
06-06-2012, 01:16 AM
OK I have a question I have been meaning to ask for ages.

My certificate runs out in 2 years. What happens if I do not have an XP
machine at that time???? And NO, I do not want to start using VM's just to
get a certificate!

John

NewsArchive
06-06-2012, 06:47 AM
Hi John,

> OK I have a question I have been meaning to ask for ages.
>
> My certificate runs out in 2 years. What happens if I do not have an XP
> machine at that time???? And NO, I do not want to start using VM's just
> to get a certificate!

You can use Windows 7 or Windows 8 to order and receive the certificate.
But the "In the File" option to receive the .spc/.pvk pair is not available
in UAC-aware operating system (Microsoft does not support that option any
longer). So your certificate makes it directly into the Internet Explorer
"certificate store" and you can then export it to a .PFX (of course,
SetupBuilder supports .pfx files). And you can convert the .PFX to
..SPC/.PFK if you want.

Friedrich

NewsArchive
06-06-2012, 06:47 AM
Ah hah. I see. I use PFX now so this stuff about using XP really is not a
big deal at all. I was getting the impression it was a bit of a showstopper.

Thanks

John

NewsArchive
06-06-2012, 06:48 AM
If the bug is fixed, no problem. The *only* reason I have the XP VM is
to get that cert. XP won't even be officially supported next time my
cert comes up for renewal.

--

Russ Eggen
RADFusion International, LLC

NewsArchive
06-06-2012, 06:49 AM
> You can use Windows 7 or Windows 8 to order and receive the certificate.
> But the "In the File" option to receive the .spc/.pvk pair is not
> available
> in UAC-aware operating system (Microsoft does not support that option any
> longer). So your certificate makes it directly into the Internet
> Explorer
> "certificate store" and you can then export it to a .PFX (of course,
> SetupBuilder supports .pfx files). And you can convert the .PFX to
> ..SPC/.PFK if you want.


oh my, sounds difficult!

Is there any How-To-Step-By-Step-Instruction or Wiki existing?

I am sorry, but have not seen something alike.

It is likely that this process is already described in a NG-Posting, but
NGs are not friendly when it comes to find something older than three
months.









--
Wolfgang Orth

www.odata.de
www.kik-service.de

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It's five o'clock somewhere.....




Written with Operas News-/ Mailclient: http://www.opera.com/mail/

NewsArchive
06-06-2012, 06:49 AM
> oh my, sounds difficult!
>
> Is there any How-To-Step-By-Step-Instruction or Wiki existing?
>
> I am sorry, but have not seen something alike.
>
> It is likely that this process is already described in a NG-Posting, but
> NGs are not friendly when it comes to find something older than three
> months.

There are several threads with regards to code-signing certificates
available:

http://www.lindersoft.com/forums/forumdisplay.php?f=11

But once you have the .PFX, you do not need the "old style" .SPC/.PVK files
any longer. The certificate makes it directly into your IE certificate
store on UAC-aware operating systems:

Start -> Control Panel -> Network and Internet -> Internet Options ->
Content -> Certificates

You can then export it (Personal Information Exchange PKCS #12) to a .PFX
file and use that in SetupBuilder to code-sign your setups and application
files. If you have used Firefox export, it will send the file out as a .p12
file; that's not a problem because there is no difference between a .PFX and
..P12. Both are PKCS #12 files -- both file extensions (.pfx and ..p12)
refer to files that contain PKCS #12 content.

So in fact, it's not that difficult:

1. Retrieve the certificate (e.g. from Comodo)
2. Export it to .PFX (IE Wizard)
3. Use it in SetupBuilder

;-)

Friedrich

NewsArchive
06-07-2012, 05:28 AM
>> Yesterday I renewed my 3 years Code Signing Certificate succesfully.
>
> COOL! Congratulations :-)
>
> Friedrich

Jeffrey,

Congratulations as well!

When Friedrich or I or any congratulate someone (and they haven't fussed
and cursed the Code Sign Order Process) -

We're actually giving you "The Honor Badge of Code Sign Order Process"! :-)

Some have passed through that journey - even "seasoned" certificate
holders, and "lucy and charlie brown with the football" - should I say any
more?! :-)

David

--
From David Troxell - Product Scope 7.9 - Encourager Software
Product Description - App Data UAC Safe, MFG - Encourager Software
Internet Link - http://www.encouragersoftware.com/software-developers.html

NewsArchive
06-07-2012, 05:28 AM
Thanks for the Badge! ;-)

Best regards,
Jeffrey