Sectigo Code Signing Certificate Problems

I formerly used TuCows for Windows Code signing certificates, but they closed up and recommended Sectigo: TuCows code signing certificates? - #11 by Mike_D

Others have had trouble with Sectigo: Alternative to Sectigo (formerly Comodo) for Certification

I’m having trouble with Sectigo too.

First, it took them forever to validate my company. But that’s done now, so I can live with it.
The problem now is I can’t download the certificate. I’ve tried on multiple browsers and OSs and all I get are two files:

  • cert_xxxxx.crt which looks like a generic certificate:

  • A second file, cert_xxxxx_ca_bundle.crt which is zero bytes in size:

  • I tried downloading from IE11 and it apparentely sends a mime-type that IE11 doesn’t understand:

  • I’ve seen mention of using FireFox 68 ESR version (which almost immediately updates itself to V91) but it too fails:

I’m pretty knowledable about this whole process - I know I need to combine the Private Key which was used for the CSR with the code-signature certificate (and I know how to do that on Windows and Mac) but I think the damned certificate itself is just not downloading. Help?

Typically the way these work is that the private key is only available the first time you download and after that they only provide the intermediates and public key. I’m afraid you’re going to need to reach out to them to reissue the cert.

In the future, I suggest using Firefox for downloading.

1 Like

It’s quite an adventure, but I was able to figure it out eventually.

  • First, there are two ways of creating a CSR (Code Signing Request) - manually, or letting the browser do it.
  • I believe that the in-browser method is basically broken and not reliable
  • @Greg_O_Lone your suggestion to use Firefox seems out dated - apparently FF 69 or later has broken this feature, see for example https://www.digicert.com/blog/partner-advisory-in-browser-csr-generation-support-dropped-in-firefox-69
  • All is not lost, however - you can make a CSR yourself quite easily with a text file and a command-line tool CertReq in windows - see Sectigo
  • if you make the CSR yourself, you can get a copy of the Private Key - at that point you can use any browser (or OS) to download the certificate files.

To retrieve the Private Key that CertReq created:

  • Start Menu ‘certmgr.msc’ to open Windows Certificate Manager
  • Go to Certificate Enrollment Requests / Certificates
  • find the key with your company name (note: this is the CSR request key, not the code signing certificate)
  • Right click, / All Tasks / export
  • Choose: Yes, export the private key
  • Choose: PFX format
  • Include all certificates
  • give a password and remember it
  • export to my-private-key.pfx or similar

Once Sectigo has created your Code Signing Certificate, you can download it. Here is where I ran into many issues. I think that their download system is broken, and as described above you get one zero byte file and one file which seems to have the wrong content.

However, with some digging I realized that the cert_xxxx.crt download file actually has 4 certficiates included, and the file appears malformed - it has an extra
-----END CERTIFICATE-----
line at the end.

Here, I started working on the Mac since that’s where I do most of my development.

  • If you double-click this malformed CRT file, Keychain Access will import it, but it only imports the first certificate in the chain.
  • however, if you simply edit the text file, and move the last certificate to the top of the file, and remove the duplicated line at the end, then the file imports fine into Keychain Access.

A few more steps and we are done:

  • double click the my-private-key.pfx file to import it into Keychain Access
  • Open Keychain access,
  • IMPORTANT: select “My Certificates” in the top Tab bar. (Note: this is important, as if you have “All Items” selected, then you’ll see the certificate and private key as separate items. In ‘Certificates’ view the two will be grouped together so you can export as one item.)
  • find the certificate you purchased. Make sure it has a disclosure triangle and has a private key inside it, and has the right expiration date.
  • right-click the certificate, choose export, and give same strong password (note: this password protects your Private Key. Never give out your private key, or this password to anyone.)
  • Export to a .p12 file (which is the same as a .pfx file) This p12 file can be used back on Windows with SignTool.

(Or can it?) I ran into one final problem:

  • In 2021 the minimum size of certificate keys was increased
  • older versions of SignTool fail to read these files
  • the solution: upgrade to a more modern Windows 10 SDK which includes a newer version of SignTool.exe - see instructdions here: SignTool - Win32 apps | Microsoft Docs

Summary of issues:

  • if you create the CSR in-browser, you have to use the same browser to download the certificate, since the private key used may be hidden from you.
  • in-browser CSR creation seems broken in many browsers, and if it fails, you may have to start the entire process again.
  • instead, create the CSR yourself so you have control of the private key.
  • Sectigo’s certificate download is broken, delivering one empty file and one a malformed file, but with some text editing, you can fix the malformed file which actually does have your code signing certificate.
  • Code Signing Keys are larger in 2021, so you need to use a more modern version of SignTool to handle them, e.g. from a recent Windows 10 SDK.

I hope this can be helpful - I literally wasted about 3 days solid on this mess. Feel free to ask questions!

Their support is so inept, I finally filed a case with Paypal and will take the time to find another certificate provider.

1 Like

On my next renewal, I’ll be trying SSL.com. I’ve worked with one of their EV code signing certificates in the past, but I have no experience with the issuance process from them. I can say unequivocally, do not order an EV certificate from them. There is no way to automate signing, such as during an installer build. Using a security key requires entering a PIN for every file - brutal if you include CEF - and their cloud signing is both absurdly expensive and still doesn’t allow automated signing. They claim it does, but their code is awful and requires pressing “y” to confirm. But the price for cloud signing is $10 per file so obviously that isn’t viable even if it worked nicely… which it doesn’t.

A non-EV certificate should not have these problems, since local signing doesn’t require a security key. That’s the only reason I’m willing to try it.

Who has the EV PIN problem, SSL or Sectigo?

I’m working with an EV from Sectigo (via Ksign) that required installing a piece of software and assigning a password. The signonce flag I got from your script makes this password window pop up for each file.

My workaround was to copy the password to the clipboard and just babysit and paste :grimacing:

Sectigo might have it too, I just don’t have experience using an EV from them. SSL.com definitely does. It’s probably possible to have the password piped to STDIN as part of the script. I was able to make that work with SSL.com’s cloud signing tool… after using a Java decompiler to figure out what kind of stupid logic they were using.

More info:

  • I’m using the regular Sectigo code signing certificate (not the EV one) so I can’t comment on EV issues
  • When I asked to get the certificate re-issued (because I thought the problem was my fault) this triggered the entire Sectigo validation process over again (e.g. they checked my business records, phone number, and made me re-upload goverment ID from scratch). This of courses makes no sense
  • Sectigo’s website and emails are a mess - there is a “validation” section and a “certificate” section and they don’t seen to integrate well.
  • On the positive side, Sectigo’s Live Chat support was reasonably good - when my process got stuck in “verifying phone #” for a few days, the online chat person was able to send the email with a validation link.

The last time I renewed my Sectigo certificate, my process included being vouched for by my attorney. Then the hassle became that they wanted to verify HIM. “Who the heck are these people?”, he asked me. :slight_smile:

Weird. In December, all they wanted was a scan of my ID and a selfie for my personal non-EV certificate.

I was doing mine in the name of my LLC. Might have made a difference.

I paid for an EV cert (2 months ago and counting), this followed the expiry of my non-EV cert in the name of my company (so already went through all the company related checks).

Shambolic is the only word

Public shaming on Twitter works :grin: