Code Signing Certificates have become a necessity for individual developers and even large organizations to protect their software applications. It’s one of the key requirements that can make or break your software’s success and enhance the download & install rate.
However, obtaining such a vital certificate requires businesses to undergo extensive vetting and authentication from Certificate Authorities (CAs). Code Signing Certificate issued by renowned CAs like Sectigo or Comodo, or their trusted distributors gives users assurance that the software is free from any malicious code or vulnerability.
However, many individuals won’t have the budget or don’t want to get into the complexity of preparing for business verification. Thus, they’d prefer to create a self-signed code signing certificate for their executable files. While technically, it’s possible to generate a self-signed certificate for code signing, however, it won’t serve the purpose of security and legitimacy.
If you still want to get a self-signed code signing certificate, here’s a guide on how you can create one. But before we get into it, let’s understand what a self-signing certificate is.
What is a Self-Signed Code Signing Certificate?
Here’s a little recap to give you an idea of what a code signing certificate is: it’s a data file issued by CAs with a cryptographic digital secure signature to authenticate business identity and software’s legitimacy with public-private keys. The certificate gives users surety that the code is not tampered with or modified by any malicious entity.
A self-signed certificate is a certificate generated and signed by you or the publisher of the software and not issued by CAs. Once the software is signed with a self-signed certificate, you can use it for internal purposes only as only you trust the signature.
What this means is with a self-generated code signing certificate, only you are vouching for your software that it’s legitimate. However, the browsers and operating systems don’t recognize your public key because you are not a CA, and hence, they won’t trust you.
Another issue with a self-signed code signing certificate is that the signature cannot be timestamped. Thus, the only purpose a self-signed certificate serves is if you want to use the software for internal purposes or while running tests. Releasing software online with a self-signed certificate will give users a warning as shown below:
This warning message would force users to abandon your software and reduce the trustworthiness of your company. Thus, you should use a self-signed certificate for internal purposes only and a code signing certificate from a CA or distributor for public-facing apps.
How to Create a Self-Signed Code Signing Certificate?
OpenSSL is an open-source SSL & TLS protocol implementation from IBM that helps in generating self-signed code signing certificates. There are a few different ways to achieve the task at hand. One is using Linux or PowerShell to create a self-signed code signing certificate.
Here, we’ll make use of PowerShell’s New-SelfSignedCertificate cmdlet which enables you to create different certificates to serve different purposes. However, using this to create a self-signed certificate will require you to have administrative access.
Once that’s done, you can use the following command to generate a self-signed certificate:
$cert = Create-SelfSignedCertificate -DNSName
"www.yourdomain.com" -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject
"Generate New Code Signing Certificate"
Here’s how this command will look in Windows PowerShell:
Once the new certificate is generated by following this command, you have an option to add this self-signed certificate as a trusted certificate authority for your network. To do this, you can go to Microsoft Management Console (type mmc.exe in RUN).
After you have accessed the same, now copy your self-signed certificate from your personal folder and paste it into the folders named Certificates. You will find this folder under the Trusted Root Certificate Authority. With that, the process of generating a self-signed code signing certificate completes.
Why Use Code Signing Certificates from Respected CAs?
When publishing your software online, it’s obligatory to get your executable codes and software signed by a trusted and respected certificate authority. If you use the self-generated code signing certificate, it’ll alert users that the software is from an unknown source as seen in the image above.
Today, no user likes to see that the software they want to use is from an unknown source, and due to this, many will abandon the installation. Thus, if you want users to get a surety that the software is from a trusted and verified publisher, obtaining the Code Signing Certificate from a reliable CA becomes necessary.
Doing so will change the alert message to show that the software is from a verified source as seen below:
Final Words
Generating self-signed certificates is useful in only certain cases such as using it for internal testing purposes. Doing so helps you make your executables appear trusted on any particular system by deploying the certificate in Windows before the software is installed.
But if your purpose is to take your software applications to a global scale, it’s mandatory to get them signed by a CA. In such cases, creating a self-signed code signing certificate wouldn’t serve the purpose. Since CAs require publishers to go through extensive verification, signing code from them helps increase your trustworthiness for users.
In a nutshell, self-signed certificates are only useful for securing executables internally and should only be generated with that purpose in mind.
Top comments (0)