First, it took them forever to validate my company. But that’s done now, so I can live with it.
The problem now is I can’t download the certificate. I’ve tried on multiple browsers and OSs and all I get are two files:
cert_xxxxx.crt which looks like a generic certificate:
I’m pretty knowledable about this whole process - I know I need to combine the Private Key which was used for the CSR with the code-signature certificate (and I know how to do that on Windows and Mac) but I think the damned certificate itself is just not downloading. Help?
Typically the way these work is that the private key is only available the first time you download and after that they only provide the intermediates and public key. I’m afraid you’re going to need to reach out to them to reissue the cert.
In the future, I suggest using Firefox for downloading.
All is not lost, however - you can make a CSR yourself quite easily with a text file and a command-line tool CertReq in windows - see Sectigo
if you make the CSR yourself, you can get a copy of the Private Key - at that point you can use any browser (or OS) to download the certificate files.
To retrieve the Private Key that CertReq created:
Start Menu ‘certmgr.msc’ to open Windows Certificate Manager
Go to Certificate Enrollment Requests / Certificates
find the key with your company name (note: this is the CSR request key, not the code signing certificate)
Right click, / All Tasks / export
Choose: Yes, export the private key
Choose: PFX format
Include all certificates
give a password and remember it
export to my-private-key.pfx or similar
Once Sectigo has created your Code Signing Certificate, you can download it. Here is where I ran into many issues. I think that their download system is broken, and as described above you get one zero byte file and one file which seems to have the wrong content.
However, with some digging I realized that the cert_xxxx.crt download file actually has 4 certficiates included, and the file appears malformed - it has an extra -----END CERTIFICATE-----
line at the end.
Here, I started working on the Mac since that’s where I do most of my development.
If you double-click this malformed CRT file, Keychain Access will import it, but it only imports the first certificate in the chain.
however, if you simply edit the text file, and move the last certificate to the top of the file, and remove the duplicated line at the end, then the file imports fine into Keychain Access.
A few more steps and we are done:
double click the my-private-key.pfx file to import it into Keychain Access
Open Keychain access,
IMPORTANT: select “My Certificates” in the top Tab bar. (Note: this is important, as if you have “All Items” selected, then you’ll see the certificate and private key as separate items. In ‘Certificates’ view the two will be grouped together so you can export as one item.)
find the certificate you purchased. Make sure it has a disclosure triangle and has a private key inside it, and has the right expiration date.
right-click the certificate, choose export, and give same strong password (note: this password protects your Private Key. Never give out your private key, or this password to anyone.)
Export to a .p12 file (which is the same as a .pfx file) This p12 file can be used back on Windows with SignTool.
(Or can it?) I ran into one final problem:
In 2021 the minimum size of certificate keys was increased
older versions of SignTool fail to read these files
the solution: upgrade to a more modern Windows 10 SDK which includes a newer version of SignTool.exe - see instructdions here: SignTool - Win32 apps | Microsoft Docs
if you create the CSR in-browser, you have to use the same browser to download the certificate, since the private key used may be hidden from you.
in-browser CSR creation seems broken in many browsers, and if it fails, you may have to start the entire process again.
instead, create the CSR yourself so you have control of the private key.
Sectigo’s certificate download is broken, delivering one empty file and one a malformed file, but with some text editing, you can fix the malformed file which actually does have your code signing certificate.
Code Signing Keys are larger in 2021, so you need to use a more modern version of SignTool to handle them, e.g. from a recent Windows 10 SDK.
I hope this can be helpful - I literally wasted about 3 days solid on this mess. Feel free to ask questions!
On my next renewal, I’ll be trying SSL.com. I’ve worked with one of their EV code signing certificates in the past, but I have no experience with the issuance process from them. I can say unequivocally, do not order an EV certificate from them. There is no way to automate signing, such as during an installer build. Using a security key requires entering a PIN for every file - brutal if you include CEF - and their cloud signing is both absurdly expensive and still doesn’t allow automated signing. They claim it does, but their code is awful and requires pressing “y” to confirm. But the price for cloud signing is $10 per file so obviously that isn’t viable even if it worked nicely… which it doesn’t.
A non-EV certificate should not have these problems, since local signing doesn’t require a security key. That’s the only reason I’m willing to try it.
I’m working with an EV from Sectigo (via Ksign) that required installing a piece of software and assigning a password. The signonce flag I got from your script makes this password window pop up for each file.
My workaround was to copy the password to the clipboard and just babysit and paste
Sectigo might have it too, I just don’t have experience using an EV from them. SSL.com definitely does. It’s probably possible to have the password piped to STDIN as part of the script. I was able to make that work with SSL.com’s cloud signing tool… after using a Java decompiler to figure out what kind of stupid logic they were using.
I’m using the regular Sectigo code signing certificate (not the EV one) so I can’t comment on EV issues
When I asked to get the certificate re-issued (because I thought the problem was my fault) this triggered the entire Sectigo validation process over again (e.g. they checked my business records, phone number, and made me re-upload goverment ID from scratch). This of courses makes no sense
Sectigo’s website and emails are a mess - there is a “validation” section and a “certificate” section and they don’t seen to integrate well.
On the positive side, Sectigo’s Live Chat support was reasonably good - when my process got stuck in “verifying phone #” for a few days, the online chat person was able to send the email with a validation link.
The last time I renewed my Sectigo certificate, my process included being vouched for by my attorney. Then the hassle became that they wanted to verify HIM. “Who the heck are these people?”, he asked me.
I paid for an EV cert (2 months ago and counting), this followed the expiry of my non-EV cert in the name of my company (so already went through all the company related checks).