A little short of three years ago, I wrote a blog entry, “Code Signing – It’s Cheaper and Easier than you Thought.” In there I talked about buying my three year certificate from TUCOW’s author web site (who’s a reseller of Comodo certificates) for $195 USD and how to integrate code signing into your build. My blog entry turned out to be fairly popular according to our hits and scores high on the search engine mojo. As I promised, thought I’d write about my experiences renewing my certificate since it’s expiring.
I poked around all the certificate issuer’s web sites to find the best deals. A commenter on my original post, Chris, went through all the issuers and listed their prices so that helped. In the end, TUCOW still had the cheapest price for a three year code signing certificate of $195 USD, showing that low inflation is a good thing.
Even though my current certificate doesn’t expire for another month, it originally took me two or three weeks to get the first certificate so I wanted plenty of time for the renewal if there were problems. Normally certificates only take a couple of days, but I wanted my original certificate to be named “John Robbins/Wintellect” so had to provide the normal documentation for myself as well as the articles of incorporation for Wintellect. Fortunately, my top notch filing system still contained all the original documentation I provided to Comodo so I thought the renewal process would be a snap.
After submitting everything, I had five or six days of back and forth with Comodo support where they kept telling me that they couldn’t issue the certificate until I changed the Wintellect WHOIS information to my personal address instead of the corporate address. After explaining numerous times I was just looking at a renewal of “John Robbins/Wintellect” they finally told me that “because of policy changes” they will only issue certificates with a single name. No big deal, I just had them issue the certificate in Wintellect’s name and be done with it.
With the email stating my certificate’s been issued, I click on the link to install the certificate into my machine’s certificate cache and Chrome reports “The server returned an invalid client certificate. Error 207 (net::ERR_CERT_INVALID).” I try the download link with IE 9 Beta and get the error “ERROR 0x80092004: CertEnroll::CX509Enrollment::InstallResponse: Cannot find object or property. 0x80092004 (-2146885628).”
A quick round with Comodo support and I find out Chrome and IE 9 are definitely not supported. They sent me a link with their instructions for downloading the certificate. The first line had me shaking my head:
<
p style=”margin-left:36pt”>1) Open http://www.instantssl.com/code-signing/ in Internet Explorer (IE) 6 or 7 with ActiveX enabled. (Windows XP preferred)
While I know half the Windows installs are Windows XP, I don’t have that anywhere, not even on a virtual machine. My server machines have IE8 on them so I gave that a try and was able to download the certificate. Just thought I’d let the world know that to download your cert from Comodo you can’t use fancy new browsers.
In the end, a code signing certificate renewal is just like getting a new certificate. At least they are cheap enough that even small companies should never have the dreaded “Unidentified program” when elevating a program or install. Finally, I blogged about this before, but it’s so good I have to mention it again. If you are new to code signing, make sure to get the fantastic white paper from Microsoft, Code Signing Best Practices. There you’ll learn all the ins and outs of code signing and the infrastructure necessary.
Cloud management is difficult to do manually, especially if you work with multiple cloud…
Azure’s scalable infrastructure is often cited as one of the primary reasons why it's the…
https://www.youtube.com/watch?v=wDzCN0d8SeA Watch our "Unlocking the Power of AI in your Software Development Life Cycle (SDLC)"…
FinOps is a strategic approach to managing cloud costs. It combines financial management best practices…
Using Kubernetes with Azure combines the power of Kubernetes container orchestration and the cloud capabilities…
In the intricate landscape of modern business, compliance is both a cornerstone of operational integrity…
View Comments
PingBack from http://topsy.com/training.atmosera.com/CS/blogs/jrobbins/archive/2010/11/17/code-signing-certificates-the-three-year-update.aspx?utm_source=pingback&utm_campaign=L2
Interesting Finds: November 18, 2010
How about using StartCom's Code Singing cert? It's like $50 to get class 2 certification, and then that includes unlimited wildcard/SAN ssl certs, email and code signing.... no per-cert fees. Their root cert is in the microsoft root ca program.
onovotny,
WOW! I completely missed them. With prices like that, everyone should get a code signing certificate.
Thanks for sharing!
- John Robbins
I've hit the same issue this last week so I feel a little better that it's not just me. However, I can't get the certificate to download even with Internet Explorer 8.
I think the issue is that I completed the purchase in Google Chrome and not Internet Explorer. I looked through the support docs and it seems to indicate that I need to export the private key that was generated. I couldn't find anything in Chrome's certificate manager, though, so I'm waiting on Comodo's support getting back to me.
I'm really annoyed that there isn't much warning about the lack of Chrome support. It's gaining market share fast and there should be some huge red stop signs with alarm bells ringing when you try and purchase a certificate with an unsupported browser. All this following the headache that was the 2 months trying to get my domain registrar to update my address details.
Thanks for the update!
Comodo can be really unflexible when it comes to issuing those certs. For example, my company has no domain name registered so i gave my personal e-mail to communicate with the registration personnel. For some reason they kept insisting that i have my e-mail address domain WHOIS record changed to indicate my company. Which is like asking me to change WHOIS record for gmail.com.
I hope it works out though. Too bad i didnt find StartCom before.
Thanks for the blog though.
Ahh, why did I just now read this post. I'm in Chrome lala cert land now... waiting for their response.
More than a year on and Comodo still don't support Chrome and don't tell you at the start of the process!
So will these certificates work for kernel mode device drivers? I'm in the process of starting an organization (company?) that will write device drivers for a hardware product I am releasing shortly.
Any ideas on how to start an organization (or company, whatever) would be great too!
@Doogal
since one year that COMODO CODE SIGNING CERTIFICATE has incredible performance by application at chrome. Will you please tell us that what kind of issues do you have using COMODO CODE SIGNING CERTIFICATE at Chrome as result of this we can resolve it.
- Thanks Eric