Home » Software Security Blog » How to Renew Code Signing Certificate
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Code Signing Certificate – Step-By-Step Renewal Guide

Are you a software developer who has purchased a code signing certificate for signing a software? Has the code signing certificate that you purchased expired? If yes, that’s nothing to worry about. No matter from whom you purchased or what certificate you purchased, whether it’s Standard or EV Code Signing Certificate, they come with a specific validity period. The good news is that it’s easy to renew a code signing certificate.

Renew Code Signing

Once Your Code Signing Certificate Expires

Similar to SSL/TLS certificates and other x.509 certificates, code signing certificates don’t have an infinite validity period. They come with a specific time period: one, two, or three years. Once the certificate surpasses its time period, it expires and can no longer be used for signing any new software, apps, or other executable files.

If you timestamped your software when you originally signed it, the signature will be valid indefinitely. If you didn’t timestamp your software, you’ll find that:

  • The software is no longer be trusted, and Microsoft SmartScreen will show a warning message.
  • Instead of your name, your software will display an unknown publisher.
  • You may see a loss in revenue if customers stop installing due to warning messages
  • It may take a few days for the issuance of another certificate, so you won’t be capable of signing and publishing your software for around a week.

However, the renewal of a code signing certificate before it expires is an easy solution. In other words, simply re-purchase your code-signing certificate from the same certificate authority you purchased earlier, or else you can even switch to another Certificate Authority.

Code Signing Certificate

Save 21% – Code Signing Certificates

Protect Software Code & Avoid Pesky Warnings

Buy Code Signing Certificates at Only $211

Step-by-step Guide to Renew Code Signing Certificate

Here’s the steps to renew Code Signing Certificate and the very first step is to re-purchase it, then follow the below steps:

1. Generate a New CSR

If you’re renewing your Code Signing Certificate from the same provider from whom you purchased earlier, then there’s no need to generate a new CSR, but:

  • Usually, it’s suggested to generate a new CSR to create a new key pair for maximum security. (New CSR can be submitted for any platform).
  • If your platform is Sun Java, then it’s mandatory to submit a new CSR.
  • If you’re installing an EV code signing certificate on HSM or renewing it, new CSR will be required.

2. Validate Your Certificate

The validation process lets the issuing certificate authority verify the legitimacy of your organization. It allows them to confirm that you’re a legal entity and give assurance to your clients that it’s safe to use your software.

However, if you’re renewing your code signing certificate, then you may not have to go through the entire process all over again. Still, if your certificate is expired or you’ve chosen any other certificate authority, then you’ll need to follow the entire validation process.

Download, Install & Start Signing With Your Renewed Code Signing Certificate

Now, the important part: just because your code signing certificate is successfully renewed, your job is not done yet. Your CA still has to issue the new certificate. And, once it gets issued, you’ll need to install that new certificate on your computer and then you can use it when signing your software. You won’t be able to use your old certificate anymore, as the signature would be invalid.

You’ll usually get your certificate via an email from your code signing certificate provider. (Unless you ordered an EV certificate, then it will be shipping to your address.) Follow the instructions provided in the email. It’ll allow you to download your code signing certificate. And once your certificate is downloaded and installed on your computer, you can start signing your apps, software, and other executable files.

If you want to check whether your code signing certificate has been installed correctly on your computer, go through the steps mentioned in this article: How to Verify Code Signing Certificates in Popular Web Browsers.

Closing Thoughts

No matter from whom you’ve purchased your code signing certificate, the certificate comes with the validity period set by the CA/Browser forum, i.e., one, two, or three years at max. So, you’re not the only one who has to renew their certificate. The crucial thing is that you renew and install your code signing certificate before it expires so you can avoid complications which come with the process of purchasing a new certificate once the expiry date exceeds.