How to Renew A Code Signing Certificate - A Quick Guide

A step-by-step guide on how to renew your code signing certificate

The expiration of code signing certificates is one of the many challenges that the entire community of software developers faces at several points in their lives. Without a valid code signing certificate, the developers lose their credibility and the software is rendered unsafe and untrustworthy. Code signing certificate acts like a sheen of trust that blankets end-users against any dangers of running applications that could potentially compromise the safety and security of their systems.

Let us delve into how to avoid the expiration in the first place so that you do not lose even one user from your loyal customer base.

Renew your code signing certificate at Only $59 per year

Timestamping: The Safety Net to Prevent Code Signing Certificate Expiration Issues

A word of advice? Always timestamp your code to prevent operating systems from generating security warnings where they can easily be avoided. The software developer (also known as the software publisher) can use their unique private key to add a timestamp (i.e., put a digital signature) on the code. The digital signature will stay valid for posterity even after the certificate expires. You can use the timestamping feature to support the continuous usability of your applications as well as to limit the damages if the keys are compromised. If there is a need to revoke certificates (due to key compromise, availability issues, performance issues, etc.), anything signed before the revocation date will continue to function and stay valid while new signatures will be declared invalid. For a timestamped software even where the code signing certificate has expired, the Microsoft SmartScreen filter will display the publisher’s name instead of the “Unknown Publisher” warning.

A timestamp is a testament to the authenticity of the software. It confirms that the software was signed by the verified publisher while the certificate was still valid and has not undergone any alteration ever since. In other words, the code of the software has remained unchanged since the time it was last signed. Without a timestamp, the digital signature becomes invalid with the expiration of the certificate, and the end-users will receive an error message. However, in the unfortunate event of certificate expiration, you can renew your code signing certificate in a few simple steps. Let’s take a look!

Renewing Your Code Signing Certificate Is Now Easier Than Ever

Keep in mind that you need not wait till the last minute to renew your code signing certificate. Many customers fear that they’ll lose the leftover days when in fact the remaining time can simply be added on to the new renewed certificate.

Step 1: Re-purchase your code signing certificate from your existing provider

To renew your code signing certificate, simply re-purchase it from the code signing certificate provider you bought it from in the first place. Typically, most certificate authorities or certificate resellers will have a “Renew Now” or similar option on their website. It is imperative to renew before the certificate ends up expiring.

The two primary reasons for this are-

• As discussed previously, you do not want your protection to become void as that would render any of your applications that have not been timestamped insecure. In other words, systems will flag your software for having an unknown author. This will undoubtedly have financial as well as reputational consequences. Moreover, in the time that it takes to issue a fresh certificate, you’ll be unable to sign and distribute software with a valid digital signature for up to a week.
• Whereas if you renew before the certificate expires, you are saved from going through the entire validation process again though you’ll still have to deal with a few requirements. However, if you renew after the certificate has expired, you are not really renewing but purchasing a brand new certificate. In the event that your certificate has expired, you can select any certificate authority (CA) from where you wish to make a purchase and hop over to their site. Once there, look for the code signing certificate you wish to purchase, fill in the required details, and place your order. Next, generate a certificate signing request (CSR) with all relevant information, submit it to the CA, and wait for them to complete the validation process. Once that’s done, you’ll receive a new certificate issued by your CA.

Secure your application using a code signing certificate

Step 2: Validate & install the new certificate issued by your CA

Now once you’ve hit renew, your job is still half done. The CA will issue a new certificate to replace your old one. Once they do, this new certificate needs to be installed otherwise all your applications will become unprotected after the old certificate expires. Note that renewing an existing certificate doesn’t automatically install it. Install the new certificate on your system, validate that the installation has been successful using any SSL checker tools and you’re all set.

In Conclusion

One cannot dismiss the role played by a code signing certificate to secure software built by developers and organizations who invest a considerable amount of resources into this process. Without a code signing certificate to back up your credibility, your reputation as a developer might take a hit, or your brand value as an organization may get jeopardized in the long run. In a world plagued by cybersecurity threats, it has never been more important to have your software digitally signed and secured. It wards off attackers attempting to trick your users as well as eases any doubts faced by your customers.