Are there any issues migrating to non-Verisign code signing certificate after verisign cert expires?

My multi-year Verisign code signing cert expired, so we have to renew it.  Verisign wants $499 for one year, I can get a Comodo code signing cert for $99.   Financially, this is a no-brainer.

However, way back when I remember there was issue with installshield and creating vista distributions that the code signing cert had to be issued by verisign, so I am concerned that that there may be some compatibility issues that might make it better in long run to pay the extra $400.

 1. For code already running at end-users that was signed with the old cert before it expired, will those executables be affected in any way if we don't renew with verisign?  Will they still be able to install code on new machines that we digitally signed months and years ago using the old cert?

2. Will my app have problems installing on unpatched vista, Win7, Win2k3/8 O/S, or does Verisign still have some monopoly in the MSFT core that prevents any other non-verisign signed app to run unless system is patched/updated?

3. Anything else I need to know, like will the signcode.exe or any other MSDN utility have issues I need to be aware of.

Thanks. P.S. i am not married to Comodo as a code signing cert authority, I just don't want to throw money away on verisign's cert if I can effectively get the same thing for a fraction of the cost elsewhere. Suggestions on another
LVL 47
Who is Participating?
Vadim RappConnect With a Mentor Commented:
I started reading the link, and in 10 seconds read the sentence that actually is 100% confirmation of what I said - don't trust anybody, testing with your specific program is the only way.

"Second, something breaks every other time we renew."

The theory says that what's tested for validity is that the certificate has not expired at the time when you signed the code (not at the time of installation).  But it's theory.

Ironically, I think, what makes most sense is signing the product in such a way that the prompt to the user "Do you trust XXX?" will be presented - from the security standpoint, this is surely more sound than relying on the list of trusted providers compiled by Microsoft and shipped with o/s - because the real question is, who does the user trust, not Microsoft. Thus, self-signed. (I do realize that you won't really do it).
Vadim RappCommented:
I don't have my own hands-on experience with code signing using certificated from 3rd parties*, so the following is only theory:

1. This depends on whether the cetificate has been timestamped. See explanation at Timestamped certificate will be always valid. I just checked it on my computer by setting the date several years ahead and then checking timestamped certificate of an executable downloaded from - it said "valid" even though it has expired. You can check the same with your own signed code.

2. This depends on what's called "trusted root certification authorities". If the signing authority you are using is in the list, then it will be trusted. You can run certmgr.msc and see who is in that list.  You can also ask the CA directly if they are in the list that comes with Vista etc.

*) Because if I understand correctly, certificate does not assert that the intentions are good. Any hacker can write the worst malicious virus and code-sign it.  The only practical fact that is asserted by certificate is that you paid money to the CA, nothing else. IMHO, this whole public certificate business is one big racket that nobody completely understands, but everybody pretends that it protects from something.
DavidPresidentAuthor Commented:
Thank you vadimrapp1, I really need to get some confirmation, something other than a reasonable theory.

I hope you understand.  Don't want to burn 10,000 CDs and find out that the activation doesn't work.   Will try to get moderator or somebody to put this in other groups to get answer.
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Vadim RappCommented:
If you have 10K CD's, I think you will need to run some test anyways, even if you get very definite answer from someone. The best answer would be probably from comodo itself - they have "live chat", so I would explain the situation and see what they say; if they claim it will work, then buy the certificate and try how it works on Vista etc; if it does not work, then take your money back.
DavidPresidentAuthor Commented:
The problem is that I have sold over  250,000 CDs over the years, and plan on burning a new master soon.  I know there will be no issue with the legacy code in the future if people re-install or install on a fresh computer since they were all time stamped, even if verisign cert expires, since I did time-stamp the installshield and the executables with that verisign DLL link they spec out.

There is really no way to test installing in the future due to the embedded URL for the verisign time stamp, nor testing installing after the digital certificate has expired. I have no doubt it can sign code.   I want to test signed code as if I was a year or so in the future to see if it runs and validates OK.  

I found this link that compares code signing certs, looks like if I go thawte, I am still using verisign, just at half the price.  I will just do that after I have a chat with them and report back
DavidPresidentAuthor Commented:
Well, I saw some conflicting information relating about needing a verisign cert for an application to meet winqual for Windows 7.  That was the bad news. The good news in researching this on the microsoft site was that I found a promotional link to get a 1-year Verisign authenticode cert for $99 instead of the regular $499 price!   So needless to say, that is the path I went down.

It probably violates the rules if I post discount codes, but if you go to you can find it without too much trouble :)
DavidPresidentAuthor Commented:
I never got a black & white answer, but question is closed as I was able to get a verisign cert for $99 instead of $499 via  a promotional link on MSFT web site, so problem is moot.  I would not have found the link if it hadn't have been for your advice and done some more searching in MSFT.

Vadim RappCommented:
I think it still would be wise to try another certificate - now that you have enough time until this one will expire again - and observe what happens.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.