Tag Archives: code signing certificate

Free Code Signing Certificate — Is It Possible?

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...

Some things in life are free… but code signing certificates aren’t among them

Everyone wants to get stuff for free: Free food, free entertainment (remember Napster?), and even free code signing. However, much like legitimate MP3s, code signing certificates aren’t free (at least, not trustworthy ones). And if anyone says that they can get you a free code signing certificate, run the other way.

Simply put, a “free code signing certificate” is an untrusted — and untrustworthy — code signing certificate. It’s something that every reputable software developer or publisher should avoid. Here’s why.

Why Can’t I Get a Code Signing Certificate for Free?

But why isn’t there free code signing? After all, there are free SSL certificates, right? True. There are free DV SSL certificates that some organizations issue — but that doesn’t mean they’re necessarily a great thing.

“Free” SSL certificates aren’t truly free because they make you pay in other ways (shorter lifespans, certificate management headaches, lack of support, lack of site identity, etc.). Also, they require only the most basic level of validation — domain validation (DV). This process entails binding a public/private key pair to your website to transfer data via the secure HTTPS protocol without asserting any real identity or trust.

Asserting trust and identity requires organization validation (OV) or extended validation (EV) capabilities. With code signing, there is no DV-equivalent. And considering that more than half of phishing websites use free SSL certificates — free DV SSL certificates — it isn’t exactly the kind of example that you want to point to when supporting the idea of why something should be free.

Getting into the Nitty-Gritty of Why Free Code Signing Doesn’t Exist

When it comes to the issue of free code signing and why it’s not possible, it really boils down to compliance, reputation, and economic considerations. Getting your software signed and trusted by a certificate authority (CA) is a very powerful thing. If a trusted CA signs off on your software, then the major browsers will trust your software. This means that security systems like Microsoft’s SmartScreen filter won’t kick up a warning that informs users about the potential dangers of untrusted software.

As a certain superhero’s late uncle liked to say: With great power comes great responsibility.

Secure Your Software with DigiCert Code Signing

Add digital code signing security on your software with world’s trusted code signing certificate.

Shop DigiCert Code Signing

For a CA to have this kind of power, they need to meet certain social and technical trust criteria and expectations. This is where CA’s root certificates and certificate trust chains come into play. But the SSL certificate chain is a whole other technical conversation for another time — thankfully, one we’ve already covered in a previous article.

To get back to the point: If just anyone could get a code signing certificate without any sort of vetting, imagine the chaos it would create. Not to mention the reputational damage it would create for the CAs. To avoid issues of certificate abuse and key mismanagement — and to create barriers for keeping bad people from getting code signing certificates — that’s why there needs to be a certain level of vetting involved for a certificate to be issued.

But, like many things in life, basic and extended business vetting isn’t free. CAs, the organizations that are responsible for issuing code signing certificates, can’t just hand out free code signing certificates. After all, they want to make sure that not only your company’s legit but that they also have a “CYA” paper trail to protect them (you know, just in case you decide to go to engage in shady business later).

As you can imagine, there are costs involved with vetting your company before they issue any code signing certificates. These costs include:

  • Employment and training their staff to conduct validations;
  • Documenting everything — and we mean everything;
  • Performing regular audit; and.
  • Maintaining logs of every certificate issued.

There’s a lot of work and responsibilities involved with these tasks. And these processes require a fair amount of time and money.

So, to summarize: No, there aren’t any legitimate free code signing certificates from trusted CAs. And considering that the whole point of code signing is about creating trust, it would kind of defeat the whole purpose of using one that doesn’t do that.

Save Up to 50% on Code Signing Certificates!

Secure your code and software with a code signing certificate from a reputable certificate authority. Get a code signing certificate for as little as $130/year!

Shop Code Signing Certificates

SSL vs Code Signing Certificates — What Is the Difference?

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5, rated)
Loading...

When talking about SSl vs code signing certificates, many people don’t realize that SSL certificates and code signing certificates are not the same thing. They’re a lot more similar than you may realize — or maybe you do realize that fact, and that’s why you’re confused — but they have completely divergent functionality. Let’s talk about both types of certificates and how each is used most effectively.

SSL vs Code Signing — What Are the Similarities?

Let’s start with the what SSL and code signing have in common, because that will inform the rest of the discussion. Both SSL certificates and code signing certificates are X.509 digital certificates. On a technical level, the only difference is the way their key usage is configured. We’ll touch on that more in a second.

Code signing and SSL are both facilitated by public key infrastructure, or what’s commonly referred to as PKI. This is a trust model that allows trusted entities, called certificate authorities (CAs) to issue trusted certificates that can verify identity and perform specific cryptographic functions. Regardless of what the function of the digital certificate is, when a client receives it, they verify its authenticity by following the digital signature on the certificate back to the certificate that made it, until it can chain it back to a trusted CA root. This is what’s known as a certificate chain.  

When considering SSL vs code signing certificates and how they differ, the difference lies in what function they serve.

Code Signing Certificates

Code signing certificates are configured to be able to create digital signatures — you know, to sign things. This is a cryptographic function where the software to be signed is hashed first, then encrypted with the signing key. When a client attempts to access the software, it will use the public key associated with the signing certificate to decrypt the signature and verify its authenticity.

Code signing is a critical component of software development nowadays and the private key (or signing key) is extremely valuable because anything it signs will be trusted by browsers, operating systems, Windows SmartScreen, etc.

Save Up to 50% on Code Signing Certificates

Secure your code and software with a code signing certificate from a reputable certificate authority. Get a code signing certificate for as little as $130/year!

Shop Code Signing Certificates

SSL Certificates

SSL certificates, on the other hand, can’t sign stuff. You can’t use the private key from your SSL certificate to sign a piece of software or an email — its key usage isn’t configured for that. Rather, SSL certificates are configured to facilitate SSL/TLS. And SSL, at its heart, is a method for passing a secure session key over an insecure channel.

An SSL certificate does this via the SSL/TLS handshake. After the certificate is verified by the client and the connection is negotiated, the SSL certificates’ keys are used to share the information that will create the session key. Session keys are the smaller, symmetric keys that are actually used during the connection.

Get SSL Certificates Up to 82% Off!

SSL certificates don’t have to cost you an arm and a leg. Get SSL certificates starting for as little as $12.42 per year through RapidSSLOnline.com.

Shop SSL Certificates

Only an SSL certificate can facilitate a secure, encrypted HTTPS connection. A code signing certificate can’t do that. And vice versa for SSL certificates — good luck signing software with an SSL certificate. It’s not going to happen.

So, yes, although SSL and code signing certificates are actually quite similar, the key usage configuration makes all the difference. Because they function a lot differently.

Secure Your Software with DigiCert Code Signing

Add digital code signing security on your software with world’s trusted code signing certificate.

Shop DigiCert Code Signing