A little short of three years ago, I wrote a blog entry, “Code Signing – It’s Cheaper and Easier than you Thought.” In there I talked about buying my three year certificate from TUCOW’s author web site (who’s a reseller of Comodo certificates) for $195 USD and how to integrate code signing into your build. My blog entry turned out to be fairly popular according to our hits and scores high on the search engine mojo. As I promised, thought I’d write about my experiences renewing my certificate since it’s expiring.
I poked around all the certificate issuer’s web sites to find the best deals. A commenter on my original post, Chris, went through all the issuers and listed their prices so that helped. In the end, TUCOW still had the cheapest price for a three year code signing certificate of $195 USD, showing that low inflation is a good thing.
Even though my current certificate doesn’t expire for another month, it originally took me two or three weeks to get the first certificate so I wanted plenty of time for the renewal if there were problems. Normally certificates only take a couple of days, but I wanted my original certificate to be named “John Robbins/Wintellect” so had to provide the normal documentation for myself as well as the articles of incorporation for Wintellect. Fortunately, my top notch filing system still contained all the original documentation I provided to Comodo so I thought the renewal process would be a snap.
After submitting everything, I had five or six days of back and forth with Comodo support where they kept telling me that they couldn’t issue the certificate until I changed the Wintellect WHOIS information to my personal address instead of the corporate address. After explaining numerous times I was just looking at a renewal of “John Robbins/Wintellect” they finally told me that “because of policy changes” they will only issue certificates with a single name. No big deal, I just had them issue the certificate in Wintellect’s name and be done with it.
With the email stating my certificate’s been issued, I click on the link to install the certificate into my machine’s certificate cache and Chrome reports “The server returned an invalid client certificate. Error 207 (net::ERR_CERT_INVALID).” I try the download link with IE 9 Beta and get the error “ERROR 0x80092004: CertEnroll::CX509Enrollment::InstallResponse: Cannot find object or property. 0x80092004 (-2146885628).”
A quick round with Comodo support and I find out Chrome and IE 9 are definitely not supported. They sent me a link with their instructions for downloading the certificate. The first line had me shaking my head:
p style=”margin-left:36pt”>1) Open http://www.instantssl.com/code-signing/ in Internet Explorer (IE) 6 or 7 with ActiveX enabled. (Windows XP preferred)
While I know half the Windows installs are Windows XP, I don’t have that anywhere, not even on a virtual machine. My server machines have IE8 on them so I gave that a try and was able to download the certificate. Just thought I’d let the world know that to download your cert from Comodo you can’t use fancy new browsers.
In the end, a code signing certificate renewal is just like getting a new certificate. At least they are cheap enough that even small companies should never have the dreaded “Unidentified program” when elevating a program or install. Finally, I blogged about this before, but it’s so good I have to mention it again. If you are new to code signing, make sure to get the fantastic white paper from Microsoft, Code Signing Best Practices. There you’ll learn all the ins and outs of code signing and the infrastructure necessary.