What happens when a code signing certificate expires?

Rob picture Rob · Nov 30, 2008 · Viewed 59.8k times · Source

I am considering purchasing a code signing certificate from VeriSign or Thawte to sign an XBAP with. My question is this: What happens when that certificate expires? $299 and $599 are pretty hefty prices for 1-year/2-year cerificates, and if I have to deliver a newly signed build to my customers whenever my certificate expires, then I'll just deal with the hassle of creating my own certificate for now.

What I don't like about creating my own certificate is the difficulty in distributing it to all of the client machines that will be using my XBAP. My application will only ever be used on a LAN, so I suppose I could always use Windows Installer to install my home brewed certificate (although I'm unsure on how to do this - anyone have any ideas?).

This wouldn't really be a problem if I was delivering a partial trust application - but my application needs Web permissions, since it will be talking to WCF services, so it is in that grey area between partial trust and full trust, and without a certificate, I get that fun ole Trust Not Granted message when I try to load my XBAP.

Any ideas?

Answer

Martin Vobr picture Martin Vobr · Aug 7, 2010

If you timestamp your code while the certificate is valid the effect is that your expired certificates are good.

From Thawte Code Signing Certificate FAQs:

How long can I use a Code Signing Certificate for?

  • Code Signing Certificates are valid for 1 or 2 years depending on which life cycle you choose when you purchase the certificate. Please note: For Microsoft® Authenticode® (Multi-Purpose), you should also timestamp your signed code to avoid your code expiring when your certificate expires.

Is timestamped code valid after a Code Signing Certificate expires?

  • Microsoft® Authenticode® (Multi-Purpose) allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.