Noobs guide to getting a Code Signing Certificate.

I've just completed my first code signed Windows App, Style for Windows and found the process to be a bit of a nightmare for the uninitiated.

In many cases I found it was presumed that you already have a certificate, but no one told me what I actually needed to do to get to this point - so this is a write up how to become eligible for a certificate and get one onto your computer.

I won't be covering how to actually use the cert as this is usually specific to your needs and there are many tutorials online already that address this.

Assumptions

I'll assume that you know why you need a cert (some good reading about certificates and terminology here), you have registered your business and have built or building an App that you're ready to unleash upon the unsuspecting masses.

Step 1: List your business in globally recognised indexes

This is the step that I wish I had focused on earlier but didn't realise how long it would actually take. It took me about a month and a bit to fit all the pieces together, so ideally you would want to start this process long before your software is finished. Naturally I assume you're only reading this at the point you actually need it - so you're going to need grit your teeth, pick up the phone and practice the art of Zen.

Sign up for and list your business on the following services:

I think you only need two of these - however I think since your doing this already, just do the lot and be done with it so your set up for the future.

Step 2: Choose a certificate type and provider

Ok so while step one registrations are in and taking forever, you can now do some research into what kind of cert you want to get and from whom.

Certificate Types:

Cert Types for Code signing really only come in two flavours for digital software:

Providers:

Lots of companies provide code signing certs and to some extent, the end product is the same regardless of who you pick - So it really just comes down to how much support you want and how "trustworthy" you need to appear.

I can tell you from my own experience that buying a super cheap cert from Comodo is "fine", but the process can be really painful and the "help desk" is severely lacking/stright up confusing. Whereas the process of buying one from Digicert is really easy and the helpdesk is excellent. They also don't charge you until the end of the process unlike my Comodo trial by fire. If you're going for a bargain and buying via a third-party - normal third party wariness should apply (A refund? Communication? Service? What is that? etc).

I can't vouch for the rest, but I would recommend not hitting the very cheapest (*cough* Comodo) if this is your first time.. Here are some of the major players to start you on this journey (lots of good info and a wide range of prices):

And many more... just search for them :)

Step 3: Provider Requirements

You're not out of the woods yet, your provider is going to need more urine samples and fingerprints to check you are who you say you are - so get ready the following data:

NOTE: I have only ever brought Code Signing Certificate's, not EV certs. But I believe more might be required for one. Your provider should tell you what these are however.

Step 4: Download and install your shiny new Certificate

Ok, you have made it through and you should have an email from your provider saying congrats, click here to get your certificate. This will most likely just be a link to their website which will generate a cert for you.

Follow their instructions provided but in essence you will be:

  1. Generating the cert on the provider's website
  2. Installing it into a browser
    • Make sure it's on your dev machine, in the right OS
  3. Saving the cert to your desktop.
    • There are a few different file types you can use which will be defined by the use you want to put it to and which programs you're using. So look this up first. Lots of tutorials / stack overflows on all this.
  4. Signing your application code with it

Wrap up

So you made and hopefully installed your cert into your application. Here are a few things that I ran into once I have signed my App:

Best of luck!
W.