[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1352
  • Last Modified:

How do I renew a code signing certificate in MS Certificate Services

A little over a year ago I enabled Microsoft Certificate Services on one of my servers for the purpose of creating code signing certificates. My intent was to allow a handful of people in my company to sign macros in Access and Excel so that users would not get security warnings when opening these applications. For the past year this has worked flawlessly. Now all of the Code Signing certificates are expired and I don't know how to renew them.

Is there a way to simpley change the expiration date so that all the certificates continue to work? Or do I need to create new certificates and resign all the macros?
  • 2
1 Solution
ParanormasticCryptographic EngineerCommented:
Normally you would create a new code signing certificate.  If you got it from a commercial CA you could buy one with a longer lifespan, if creating from your own CA you can duplicate the default code signing template so you can modify the validity period, if using a self-signed cert you can usually add a switch to the command to make a new one to specify the number of days it should be valid for.
ticgumsAuthor Commented:
I'm creating it from my own CA. Even if I modify the code signing template I could only make it valid for 2 years (length of the CA validity) correct?

Regardless of how long the certificate is good for once it expires I have to request a new one and resign all of my code? Is there any way to avoid this?
ParanormasticCryptographic EngineerCommented:
You could extend the validity period of the CA certificate and renew it (you can use command 'Certutil -renewCert ReuseKeys' to avoid having to reissue all of your existing certs), and then extend the lifetime of your template.

Better yet would be using a time stamping service, if your code supports that.  Basically after the cert expires the time stamp is still valid, so you're good until you have to update the code, in which case you would have to re-sign again anyways.  Here's a little more info on that:

There are a few free time stamping services you can use - there may be a short delay from some of these, but from what I understand its usually under an hour or at least same day, which is acceptable to most people.  
I'm sure there are more out there if you really want to look.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now