Code Signing Certificate Request

Owned by Joshua Drummond
Last updated: Oct 22, 2020 by Andrew Laurence

The procedure for getting a code signing certificate through InCommon is different than that of SSL website certificates.  It isn't tied to a specific hostname, but rather just identifies the organization that is accountable that the code being signed is legitimate.  The certificate can be re-used multiple times, so it is important that it doesn't get into the wrong hands and is protected at all times. 

 

  1. See Code Signing End-User Guide
  2. Submit a request to the OIT Security team with the following information:
    1. Purpose of the code signing certificate
    2. Email address that the certificate is registered to.  Usually this should be a group/alias email address rather than individual, and where the invitation email is sent to.
    3. Full name of group or person requesting the certificate.
    4. Optional contact email address if you want it to show in the certificate.
    5. Term (1,2,3 years)
  3. Security team will submit the request to InCommon which will generate an enrollment invitation email to the requester.
  4. Requester visits the validation link. In the browser, the requester validates the email address, and completes the online form. Within the browser, it generates the private key and CSR, then uploads the CSR.
    1. As of October 2020, Internet Explorer is the only browser known to work with this process.
    2. Yes, really.
  5. The certificate request is sent to InCommon CA servers by Certificate Manager.
  6. If the application is successful, Certificate Manager sends an email with a download link to the end-user, enabling to download the certificate.
    1. Be sure to download from the same browser, on the same computer, as used in #4.
  7. The resulting file has a nonsensical name and no file extension. Save it to the local computer.
  8. The file is a PKCS7 (.p7b) file, in DER format.
  • To import this file into Windows, give it a proper file extension. (.cer, .p7b)  Use the Certificate Import Wizard to import it into the user's (or computer's) certificate store.
    • Internet Explorer -> Internet Options -> Content -> Certificates -> [IMPORT]
    • certmgr -> Personal -> (right-click on Certificates folder) -> All Tasks -> Import…
  • openssl pkcs7 -in /path/to/file -inform DER -print_certs -noout

Note: InCommon does not currently support EV code signing certificate.