We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

How do I renew a code signing certificate in MS Certificate Services

ticgums
ticgums asked
on
Medium Priority
1,406 Views
Last Modified: 2012-05-06
A little over a year ago I enabled Microsoft Certificate Services on one of my servers for the purpose of creating code signing certificates. My intent was to allow a handful of people in my company to sign macros in Access and Excel so that users would not get security warnings when opening these applications. For the past year this has worked flawlessly. Now all of the Code Signing certificates are expired and I don't know how to renew them.

Is there a way to simpley change the expiration date so that all the certificates continue to work? Or do I need to create new certificates and resign all the macros?
Comment
Watch Question

ParanormasticCryptographic Engineer
CERTIFIED EXPERT

Commented:
Normally you would create a new code signing certificate.  If you got it from a commercial CA you could buy one with a longer lifespan, if creating from your own CA you can duplicate the default code signing template so you can modify the validity period, if using a self-signed cert you can usually add a switch to the command to make a new one to specify the number of days it should be valid for.

Author

Commented:
I'm creating it from my own CA. Even if I modify the code signing template I could only make it valid for 2 years (length of the CA validity) correct?

Regardless of how long the certificate is good for once it expires I have to request a new one and resign all of my code? Is there any way to avoid this?
Cryptographic Engineer
CERTIFIED EXPERT
Commented:
You could extend the validity period of the CA certificate and renew it (you can use command 'Certutil -renewCert ReuseKeys' to avoid having to reissue all of your existing certs), and then extend the lifetime of your template.

Better yet would be using a time stamping service, if your code supports that.  Basically after the cert expires the time stamp is still valid, so you're good until you have to update the code, in which case you would have to re-sign again anyways.  Here's a little more info on that:
http://www.instantssl.com/code-signing/code-signing-technical.html

There are a few free time stamping services you can use - there may be a short delay from some of these, but from what I understand its usually under an hour or at least same day, which is acceptable to most people.  
http://www.itconsult.co.uk/stamper.htm
http://www.opentsa.org/
I'm sure there are more out there if you really want to look.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.