Digicert Code Signing Certificate FAQ

Digicert Code Signing Certificate


 

What is Digicert code signing and why do I need it? 

Digicert Code Signing creates a digital "shrink-wrap" that shows customers the identity of the company responsible for the code and confirms that it has not been modified since the signature was applied. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the packaging. Increasingly, customers download applications online, install plug-ins and add-ins, and interact with sophisticated Web-based applications. They risk compromising their security and the functionality of existing systems if they download malicious or faulty code. Digicert Code Signing protects your brand and your intellectual property by making your applications identifiable and harder to falsify or damage with a digital signature.

[ Back to Top ]

 

Which Digicert Code Signing Certificate do I need?

Code and content signing is based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content. Software platforms and applications use a public key to decrypt the signature during download and compares the hash used to sign the application against the hash of the downloaded application. Signed code from a trusted source may be automatically accepted or a security warning may require the end user to view the signature information and decide whether or not to trust the code.

[ Back to Top ]

 

Are Code Signing Certificates available for individiual developers?

Yes. Code signing certificates are available for individual developers who are not affiliated with an incorporated business. Select the appropriate code signing certificate for your development platform. In the publisher name field on the sign up form simply put your name down for the publisher.

[ Back to Top ]

 

How does a Digicert Code Signing Certificate work?

Code and content signing is based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to code or content. Software platforms and applications use a public key to decrypt the signature during download and compares the hash used to sign the application against the hash of the downloaded application. Signed code from a trusted source may be automatically accepted or a security warning may require the end user to view the signature information and decide whether or not to trust the code.

[ Back to Top ]

 

How long does it take to purchase a Digicert Code Signing Certificate?

During the Digicert code signing enrollment process, Digicert will collect information about you and your company for authentication. The validation process may take a few hours or several days, depending on the information you provide and how easily it can be verified. You have the option to pay by credit card, PayPal, check or wire transfer. We must receive payment before delivering your certificate, payment by credit card or PayPal speeds delivery. Review the Digicert Code Signing Certificate enrollment process:

Microsoft Authenticode
Java
Microsoft Office / VBA
Adobe AIR

[ Back to Top ]

 

How long does a digital signature last?

Every Digicert Code Signing Certificate is purchased with a specific validity period. The digital certificate can be used to sign code as frequently as needed during that validity period. When the digital certificate expires, all digital signatures that depend on that digital certificate expire also unless the signature includes a time stamp. A timestamp option shows when code was signed, allowing customers to verify that the Code Signing Certificate was valid at the time of the digital signature.

[ Back to Top ]

 

Can I install the Digicert Code Signing Certificate on more than one PC?

You can use a Digicert Code Signing Certificate on any computer once it is retrieved. However, you must buy and retrieve your Code Signing Certificate from the same computer. If you have problems with retrieval, confirm that you are using the same computer, browser, and log-in profile used to enroll. Digicert recommends that developers purchase additional Code Signing Certificates rather than sharing certificates for better security and management. If a certificate becomes compromised and must be revoked, then all applications signed by the single certificate will be disabled.

[ Back to Top ]

 

How does someone know they can trust my signature?

Simply signing your code ensures that it has not been tampered with and that it comes from you, but does not verify who you are. A third-party CA is more trusted than a self-signed certificate because the certificate requester had to go through a vetting or authentication process. When software platforms and applications verify a digital signature, they access a "root" certificate to determine whether or not to trust the CA that issued the certificate. It is possible to self-sign your code, but then you have to make sure that anyone accessing the code has access to your Root Certificate or your self-signed application will remain unidentifiable. Because Digicert Root Certificates come pre-installed on most devices and embedded in most applications, digital signatures from Digicert are almost always trusted, reducing warnings and error messages.

[ Back to Top ]

 

How many Digicert Code Signing Certificates do I need?

Digicert recommends that developers purchase additional Code Signing Certificates rather than sharing certificates for better security and management. If a certificate becomes compromised and must be revoked then all applications signed by the single certificate will be disabled. For ease of use, Digicert recommends buying a Code Signing Certificate for each developer platform. You could use a Code Signing Certificate for one platform to sign code for others. However, different platforms require the certificates in different formats. To use a certificate across platforms requires a conversion process using additional utilities.

[ Back to Top ]

 

What if I lose my private key or it becomes compromised?

If your private key is lost or compromised or if your information changes, you should revoke your Digicert Code Signing Certificate immediately and replace it with a new certificate.

[ Back to Top ]

 

Do I need to sign all the files within the cab file or just the cab file?

For Microsoft Windows applications, developers only need to sign the .cab file using the appropriate Digicert Code Signing Certificate. For Windows Mobile applications, all executables within the .cab file must be signed. The Digicert Flexible Signing Account automatically signs all of the contained executables when the .cab file is signed.

[ Back to Top ]

 

What Digicert Code Signing Certificate should I use for Netscape Object Signing?

Digicert no longer offers a Code Signing Certificate for Netscape because Netscape discontinued the signing tools and support for Netscape 4.x browsers. To digitally sign files for Netscape Object Signing, purchase a Digicert Code Signing Certificate for Java.

[ Back to Top ]

 

$405
1 year
$705
2 year
$985
3 year
Buy 
Digicert Code Signing Certificate