About Code Signing Certificates
Content publishers use Code Signing certificates to append digital signatures to their products. A digital signature proves the identity of the creator and validates that content has not been tampered with since it was originally distributed.
This article contains answers to frequently asked questions (FAQ) about Code Signing certificates.
Who needs a Code Signing certificate?
All Java apps that run in Web browsers require a code signing certificate, as of January 2014.
A Code Signing certificate is also strongly recommended for any publisher intending to distribute code or other content over the Internet or over corporate networks. Use of code signing certificates might help enhance a publisher's reputation.
How long can I use my Code Signing certificate?
Code Signing certificates are valid for one, two or three years, depending on the term you purchase it for.
Do you certify the content of my code?
No. Code Signing certificates are only used to verify the publisher who signed the content and that the content has not been altered or corrupted.
Why should I time stamp the code when I sign it?
Time stamping ensures that signed code will not expire when the Code Signing certificate expires. Signed code which has been time stamped is valid, even after the Code Signing certificate expires. A new certificate is only necessary if you want to sign additional code. If you did not use the time stamping option during the signing, you must re-sign your code whenever the Code Signing certificate changes due to re-keying or renewal.
What is your time stamping server URL?
Time stamping your code is an optional feature. Our time stamping server URL is: http://tsa.starfieldtech.com
.
If you want to time stamp your code, specify the full location, including the http:// part of the URL.
Which utility is used to verify whether the file has been time stamped?
- Windows - Use the SignTool.exe utility included with the Windows SDK to verify the presence of a time stamp in code which has been signed.
- Java - Use JarSigner.exe included as part of the JDK which is available here.
Is there a limit to the amount of time stamp requests allowed for a Code Signing certificate?
No. Unlike some of our competitors, we do not limit the number of time stamp requests which can be issued by a single Code Signing certificate.
Is there a limit to the number of applications allowed to be signed with a Code Signing certificate?
No. You are not limited to any specific number. You can sign as many applications or other content with a code signing certificate as you wish, provided that the applications are going to be used for and distributed by the organization that owns the certificate.
Can I request a Code Signing certificate as an individual?
No. Only businesses whose identity can be verified via various state or federal governmental agencies can be issued a Code Signing certificate.
Can I sign Windows® Vista 64-bit device drivers with a Code Signing certificate?
Yes. Because Windows must validate your device driver when booting up in kernel mode, a special type of Code Signing certificate must sign Windows Vista (and later) 64-bit device drivers. We offer these Driver Signing certificates (aka kernel-mode Code Signing certificates) on our website.
Can I sign Macintosh® OS X 10.5 and later code with a code signing certificate?
Yes. Apple recommends that all code written for Mac OS X 10.5 and later be code signed. Beginning with Mac OS X 10.5 Leopard, Apple has provided code signing tools. The main tool used is codesign.
For more information, see:
What settings should be enabled in Internet Explorer® to allow a user to receive the certificate pop-up on downloaded content?
To receive the certificate pop-up when the file is downloaded, you must enable the feature.
Enable Check for Signatures
- Open the Tools menu in Internet Explorer, and then click Internet Options.
- Go to the Advanced tab.
- In the Security section, select the Check for signatures on downloaded programs option.
How do I ensure that both I and my customers have the latest Microsoft® roots in my certificate store?
For Windows XP, everything is automatic. For older versions of the Windows operating system, it is highly recommended that the latest root update is installed. Good security policy dictates that your root certificate store should have the most current root certificate references from all trusted certification authorities, thereby providing the widest capability to recognize trusted content. To install the latest Microsoft root certificate patch, click here.