locked
can a site certificate be used to sign a software RRS feed

  • Question

  • Hello All,

    There're two questions-

    1. Can a Software be signed by a certificate other than code signing ceritifcate e.g. site or personal certificate?

    2. If yes than how will Microsoft Authenticode react if that software is executed?

    Regards,
    Gurmit
    Thursday, September 10, 2009 12:08 PM

Answers

  • Hi,

    In order for a certificate to be usable for code signing, its Key Usage extension must contain Digital Signature and if the Enhanced Key Usage extension is present it must contain Code Signing (1.3.6.1.5.5.7.3.3).

    SSL Server certificates and S/MIME personal certificates do contain the Enhanced Key Usage extension but they specify roles other that Code Signing. So, you can't use them for signing your software.
    Moreover, if you use Microsoft Authenticode, the signing wizard will not select SSL or S/MIME certificate: it will only offer you to choose between certificates that explicitly provide and Enhanced Key Usage for Code Signing or certificates that don't provide an Enhanced Key Usage but have a Digital Signature Key Usage.

    Thus, if you need to deploy signed content, you must purchase a dedicated Code Signing certificate.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr
    • Proposed as answer by Mounir IDRASSI Thursday, September 10, 2009 10:56 PM
    • Marked as answer by Gurmit Teotia Wednesday, September 16, 2009 4:57 AM
    Thursday, September 10, 2009 10:20 PM
  • Hi,

    To my knowledge, there is no commercial CA that issue a certificate with two or more purposes (like code signing and server authentication at a time), even if it's technically possible (they may have their commercial reasons).
    All known CAs oblige you to purchase separate certificates for distinct roles. So, I'm confident to say that you can not purchase a dual purpose certificates from well-known CAs. Thus, the cost question is irrelevant in this context.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr

    • Proposed as answer by Mounir IDRASSI Tuesday, September 15, 2009 5:04 PM
    • Marked as answer by Gurmit Teotia Wednesday, September 16, 2009 4:57 AM
    Tuesday, September 15, 2009 5:04 PM

All replies

  • Hi,

    In order for a certificate to be usable for code signing, its Key Usage extension must contain Digital Signature and if the Enhanced Key Usage extension is present it must contain Code Signing (1.3.6.1.5.5.7.3.3).

    SSL Server certificates and S/MIME personal certificates do contain the Enhanced Key Usage extension but they specify roles other that Code Signing. So, you can't use them for signing your software.
    Moreover, if you use Microsoft Authenticode, the signing wizard will not select SSL or S/MIME certificate: it will only offer you to choose between certificates that explicitly provide and Enhanced Key Usage for Code Signing or certificates that don't provide an Enhanced Key Usage but have a Digital Signature Key Usage.

    Thus, if you need to deploy signed content, you must purchase a dedicated Code Signing certificate.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr
    • Proposed as answer by Mounir IDRASSI Thursday, September 10, 2009 10:56 PM
    • Marked as answer by Gurmit Teotia Wednesday, September 16, 2009 4:57 AM
    Thursday, September 10, 2009 10:20 PM

  • Thank you for your response Mounir.

    I've another related question. Can a CA issue a certificate for more than one purpose (server identity and code signing)? If yes, is it going to have any cost impact? If no, will it be because of some technical limitation or some certificate/CA policies?


    Regards,
    Gurmit


    Friday, September 11, 2009 4:49 AM
  • Hi,

    Technically, a CA can issue certificates for any purpose unless there is an explicit policy that restrict its issuance scope (for example if it's a sub-CA and its parents CA specifies that it will only be used to issue SSL certificates).

    What do you mean by the cost impact? Can you explain the context for your question?

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr
    Saturday, September 12, 2009 1:54 PM

  • Thank you for your response.

    So a CA (e.g. Verisign) can issue a certificate that can be used for server identification and code signing, correct?

    Regarding cost my question was if dual purpose certificate (server identity and code signing) is going to cost same as either "server identity" certificate or "code signging" certificate OR is it going to cost equal to sum of the costs of both?

    Regards,
    Gurmit
    Monday, September 14, 2009 5:26 AM
  • Hi,

    To my knowledge, there is no commercial CA that issue a certificate with two or more purposes (like code signing and server authentication at a time), even if it's technically possible (they may have their commercial reasons).
    All known CAs oblige you to purchase separate certificates for distinct roles. So, I'm confident to say that you can not purchase a dual purpose certificates from well-known CAs. Thus, the cost question is irrelevant in this context.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr

    • Proposed as answer by Mounir IDRASSI Tuesday, September 15, 2009 5:04 PM
    • Marked as answer by Gurmit Teotia Wednesday, September 16, 2009 4:57 AM
    Tuesday, September 15, 2009 5:04 PM