damn, this process almost kills the joy of developing software 
6 Likes
Although more expensive, Digicert is way less cruel.
1 Like
@ Michel
I remember you saying kSign works too with your Digicert certs. It may look like it is working but do check if it is also timestamped. They only seem to do this with their own kSoftware certs.
Note:
If you codesign without timestamp, your downloaded file will show a blue screen (not red) BUT when your certs expires, it start to show the red screen/warning. Which is something you do not want.
Im currently failing to use LeaderSSL
I go to the website, ask for 3 year certificate, and get sent a link to download a public key
The link says ‘Edge browser in Internet Explorer mode or Internet Explorer11’
IE cant be installed, it seems, and Edge in IE mode doesnt sent a certification request
The page I am sent to says Edge is specifically not allowed, and I could use Firefox ESR on the Mac
That doesnt work either.
I’m waiting to hear back from them.
This is painful, but if I can get through it , I may stay in business for a few more years
(I dread to think what the new process will entail, and may well take that as a cue to cease trading)
Edit: Turns out I can still install IE11, they just don’t really want me to. Trying that now.
I used Edge in Windows 11
But you need to use the same browser you used when you did order. Otherwise you cannot download the certs.
Installed Internet Explorer in Windows 11 three times - it does not show up as a runnable app.
They REALLY want people to use Edge, don;t they?
Eventually I found a place in the default browser settings that allow IE mode.
No change
Finally, I used a setting that said ‘always open this page in IE mode for the next 30 days’
That seems to have gotten me past the generate key issue, although I cannot actually see a key or any file downloaded.
Waiting for the next stage now.
Having the browser generate the CSR is the wrong way to do it (in my opinion) because the private key is hidden within the browser.
There is a way to generate the CSR outside of the browser which then allows you to use any browser on any OS on any computer. See Sectigo Code Signing Certificate Problems - #3 by Mike_D (Note: i did this with Sectigo. I don’t know if LeaderSSL supports this alternative method)
Note: i did this with Sectigo. I don’t know if LeaderSSL supports this alternative method)
I’m trying to use LeaderSSL, and the page I end up at from them is still Sectigo…
Yes, that is what you need to do. And it is important to use the same browser as you started everything when ordering the certs. Otherwise it will not work.
No, that’s only true if you use the browser to generate the CSR.
If you generate the CSR yourself manually, you avoid all of those issues.
If you want to do it the “right” way, follow these instructions
I suspect I’m already paddling that canoe. 
That’s how I did it several times and worked fine for me. If there is another way… good to hear.
Nearly there…
I used a setting that said ‘always open this page in IE mode for the next 30 days’
Then I got emails from Sectigo and Leader (who have been very responsive and pro-active) about the validation process.
That required:
DUNS number (I had one, not sure how/why but yay!)
Company number with a government agency (Im a Limited company so appear in Companies house UK)
Phone number on public directory somewhere (I set one up in 192.com a while ago… its still there thankfully: I dont ‘do’ phone support and frankly don’t agree that we need one in this day and age)
Photograph of driving licence.
Photo of me holding the driving licence
and then a phone call to the published phone number to prove that there was a body at the other end.
You cant extend an existing cert (So Im losing over a year and a half of my current one), and renewals are treated like new for validation purposes.
I now have an email saying the cert is ready, and in theory all I need do is download it.
I’m terrified of what will be needed in 3 years time. Genuinely could mean shutting down if it’s too bonkers.
Good te hear it is ok now.
And yes, LeaderSSL is pretty good. I can highly recommend them too.
Last stage: I download the ‘certitfcate’ and it is a crt file
I double click that and it ‘installs the certifcate’
Needing the certificate on another machine, I try to ‘export the certificate’, but all I can get is a p7b file, and nothing I own can use one of those.
Dont we get a PFX any more?
Any ideas?
@Jeff_Tullin check out my instructions (linked about 5 posts back) which has some workarounds.
I’ll give them a try from scratch tomorrow, thanks
For now, I do know that when I got to the export screen,
- Right click, / All Tasks / export
- Choose: Yes, export the private key
- Choose: PFX format
PFX format could not be selected there…
.crt files are just text files - I suggest you try opening it in a text editor and see what you have. When i did this (in early 2022, purchasing directly from Sectigo) when I downlaoded the .crt file, I was given two files - one was empty and the other .crt file was mangled - it had 4 certificates inside it, but the “-----END CERTIFICATE-----” line was duplicated. I did some manual text editing which cleaned up the file, after which I could use it. Fun times!
What do you see in your .crt file? (obviously, don’t share the actual certificate data here)
Hi all, I just had a terrible experience with Sectigo. If you need an OV certificate, avoid Sectigo at all costs! After more than a month of silence, waiting and unhelpful replies from them, today they wrote that they are “unable to verify” my company even though I’d been their customer for several years! Asked a refund.
Now, I am in the uncomfortable position of having to find another organization to issue a code signing certificate. Especially a company that can handle international businesses, as I am based in Italy and am unable to provide US business licenses, DUNS numbers and so on.
Any recommendations and advices about a good company?
I went with Digicert.com. They are more expensive, but it is a serious company and I never had any issues with verifying my company.
Note that you can get a DUNS number, although you are in Italy.
Go to https://www.dnb.com/duns/get-a-duns.html and click “I am an Apple Developer”. After logging in your Apple developer account you get your DUNS number.
Also, make sure to have a phone registered to your name. In France, I registered my VOIP phone number with the national yellow pages. Some companies use that to vett your company.
1 Like