Is your code secure?
With the advent of online distribution, developing and disseminating functional
code is easier than ever. However, such an environment also subjects code and software
to potential dangers presented by fraudulent and malicious code. Don’t expose your
customers to these threats. With a Thawte® Code Signing Certificate
you can protect your customers and provide them with the safe, trustworthy code
What is Code Signing Certificate?
A Code Signing Certificate is a set of data that identifies an existing entity.
The certificate presents the entity’s public cryptographic key, allowing the public
user to verify the sender’s identity.
Code Signing Certificates frequently use digital signatures to verify the identify
of the content’s creator, as well as confirming that the content has not been tampered
with since it was originally distributed. With the rapid growth of content distribution
thanks to the Internet, code signing is absolutely critical for securing the delivery
of content to the consumer. Code Signing Certificates with digital signatures allow
publishes to sign .exe, .cab, .dll, and .ocx files; Java Applets and MIDlets; Microsoft®
Office documents with macros; and Apple desktop applications.
The Distribution Process for Code Signing Certificates:
The primary goal of a Code Signing Certificate is to confirm the publix key contained
in a certificate is, in fact, the public key belonging to the person or entity to
whom the certificate is issued.
The implementation of digital certification involves a signature algorithm (digital
signature) for signing the certificate.
- The client sends a certification request containing name and public key to a ceritfication
authorty. As an SSL reseller, sslrenewals.com represents 4 different certification
authorities: Symantec, Thawte, GeoTrust, and RapidSSL. For the purposes of this
Code Signing Certificate, sslrenewals.com represents Thawte.
- Thawte creates a special message per the software publisher’s request, which
constitutes most of the data in the certificate. Thawte signs the message with its
private key, obtaining a separate signature (sig) in the process. Then Thawte returns
the message and the signature to the software publisher. Together, these two parts
form the certificate.
- The software publisher then sends the certificate to an end user to convey trust
in the public key.
- The end user verifies the signature sig using the Thawte’s public key. If
the signature is verified, he accepts the software publisher's public key.
As with any digital signature, anyone can verify, at any time, that the certificate
was signed by Thawte, without access to any secret information. The end user needs
only to get a copy a certificate in order to access the certificate authority’s
Who needs a Thawte® Code Signing Certificate from
It is absolutely necessary for any publisher intending to distribute code or ontent
over the Internet or coprorate networks to use a Code Signing Certificate. Secure
customers are happy customers. Code Signing Certificates allow business and software
publishers to assure their customers about who produced the content and that it
has not been tampered with since it’s initial distribution. Newer operating systems
and Internet browsers are often set to higher security levels, which often require
signed content. Software publishers who do not use a Thawte®
Signing Certificate simply won’t be taken seriously in today’s environment.
Obtaining Certification from Thawte and other Certificate Authorities:
To obtain a certificate from Thawte and other certificate authorities represented
by sslrenewals.com, a software publisher must meet the criteria for either a commercial
or an individual publishing certificate and submit these credentials to either a
CA or a local registration authority (LRA). The criteria discussed below have been
proposed by Microsoft. Note that standards bodies, such as the World Wide Web Consortium
(W3C), are reviewing these criteria and they are subject to change. A description
of the overall process of obtaining a certificate for code signing ends this section
of the document.
In order to acquire a Commercial software publishing certificate, applicants must
meet the following prerequisites:
- Identification - Applicants must submit their name, address, and other material
that proves their identity as corporate representatives. Proof of identify requires
either personal presence or registered credentials.
- The Pledge - Applicants must pledge that they will not distribute software that
they know, or should have known, contains viruses or would otherwise harm a user's
computer or code.
The following prerequisites must be met for an individual requesting software publishing
- Idntification – Applicants must submit their name, address, and other material that
will be checked against an independent consumer databse to validate their credentials.
- The Pledge – Applicants must pledge that they cannot and will not distribute
software that they know, or should have known, contains viruses or would otherwise
maliciously harm the user’s computer or code.
The value of an individual SPC is in the information it provides to users so they
can decide whether or not to download the code. Knowing who authored the code, and
that the bits have not been altered from the time the code was signed to the present,
is reassuring information. Additionally, a browser could be used to access a publisher's
Web pages so the user can obtain detailed information about the signed code, the
author, and the certificate authority. After learning about this code and the author,
the user might decide to run the code, or all future code, coming from this particular
Additional Information About Thawte® Code Signing Certificates:
- Thawte does not certify the content of a software publisher’s code. Code signing
certificates are only used to verify the publisher who signed the content and that
the content has not been altered or corrupted.
- It is of critical importance that you time stamp your code when signing it. Time
stamping ensures that signed code will not expire when the code signing certificate
expires. Signed code which has been time stamped is valid, even after the code signing
certificate has expired. A new certificate is only necessary if you want to sign
additional code. If you did not use the time stamping option during the signing,
you must re-sign your code whenever the code signing certificate changes due to
re-keying or renewal.
- In order to verify whether or not a file has been time stamped, follow these directions:
- Software publishers should ensure that their customers have the latest Microsoft
roots. For Windows XP, everything is automatic. For older versions of the Windows
operating system, it is highly recommended that the latest root update is installed.
Good security policy dictates that your root certificate store should have the most
current root certificate references from all trusted certification authorities,
thereby providing the widest capability to recognize trusted content.
Get in touch with The SSL Renewals about purchasing the secure, reliable Thawte® Code Signing Certificate
The New Warranty Limits
Symantec has recently extended the warranty limits for many SSL products (including
Thawte® and GeoTrust® brands) which, in some cases offer a distinct advantage
over the competition. Symantec SSL Certificates now include up to $1,500,000 of
New warranty limits for NetSure Certificates are as follows and coverage applies
Certificates issued on or after July 30, 2011.
Thawte Code Signing Certificate warranty is USD $50,000