Steps to Generate a Certificate Signing Request for a Code Signing Using a Web Browser

A quick stepwise guide on creating a CSR for your code signing certificate using a web browser on Windows

Most of us have encountered an “Unknown Publisher” warning more than once in our lives while attempting to download and run software on our systems. However, you’ll note that these security warnings are not displayed for reputed developers or widely recognized organizations. A code signing certificate is particularly useful for new developers or organizations that haven’t yet built a strong brand reputation. After you purchase any digital certificate, a certificate signing request (CSR) must be filled in by the applicant and submitted to the issuing certificate authority (CA). For a code signing certificate as well, the developer or the organization must generate a CSR that’ll contain information about the applicant or the applicant’s organization.

What Is Code Signing Certificate? How Does It Work?

Code signing is the process of adding a digital signature to a program, verify its author, and ensure that the code has not been altered or corrupted since it was last signed. Software developers use code signing certificates to digitally sign applications, drivers, configuration files, and so on. This enables end-users to ascertain that the code they are executing has not been tampered with by an attacker or third-party. The application includes the signature, the name of the organization, the algorithm applied, and if used then a timestamp.

The way code signing works is that the programmer on receiving the certificate from a trusted CA will –

• Generate a one-way hash of the application, and
• Encrypt it using the private keys shared by the CA.

The private key is known only to the applicant and must be stored securely. The hash along with the certificate and the executable file is then shipped to the customers.

The users on receiving this bundle decrypt the hash using the public key. They also create a new hash of the downloaded file and then compare the two. If the two hashes match, it indicates that the file has not been modified since it was last signed by the developer.

6 Simple Steps to Create a Certificate Signing Request

Signing your applications is a fairly simple process and is highly beneficial for your organization’s reputation because it creates a greater sense of trust in your brand and associated products. Since end-users can now trust that the application was published by a verified publisher and does not contain malware, it is likely to drive up downloads considerably.

On creating a certificate signing request, an encoded message detailing specific information about the requestor is submitted to the certificate authority containing key data such as:

• The publisher name (also known as the common name) for your certificate,
• The public key of your certificate,
• An email address associated with the certificate, etc.

Once you’ve purchased a code signing certificate from the certificate authority of your choice, follow the steps below to generate a certificate signing request (CSR).

Step 1: Open your browser of choice.

Begin by opening your selected web browser. We recommend using Firefox for this process since it facilitates CSR generation in a simple, secure, and prompt manner.

Step 2: Log in to your account

Enter the credentials you created while purchasing your certificate and login to your account on your code signing certificate provider's website.

Step 3: Locate the certificate you purchased

Find your recently purchased “Incomplete” code signing certificate.

Step 4: Generate a certificate

Click on the “Generate CertNow” option.

Step 5: Fill in the CSR form

Enter all the information required to generate and complete the CSR.

Step 6: Submit your request

Click on “Submit” to send your certificate request to your CA.

Next, the browser will generate a key pair that’ll be stored in the browser’s certificate manager folder. Save your order number and wait for your CA to complete the validation process. Once that’s done, they’ll issue your code signing certificate that you’ll need to install before you can begin signing applications.

Wrapping Up

Though there are several benefits to code signing, it is not without its failings. One of the greatest troubles to manage is when third-parties gain unauthorized access to private keys if they’re left lying around on server devices, or discoverable by other insecure storage means. Another cause for concern is that users with malicious intent may obtain a code signing certificate and distribute potentially dangerous software. However, since the validation process requires the mandatory submission of identity information, it is a less likely scenario. At the end of the day, code signing benefits both developers and end-users alike, and the advantages far outweigh the weaknesses that are easily manageable by using the technology responsibly.

Related Resources

• How to Renew A Code Signing Certificate - A Quick Guide
• Using of EV Code Signing Certificate - A Quick Guide
• What is The Cheapest Code Signing Certificate?
  
• How to Sign Java Files with Java Code Signing Certificate - Quick Guide
• Quick Steps to Export Code Signing Certificate in Firefox – A Detailed Guide
• A Step-By-Step Guide on How to Export Code Signing Certificate on Mac
• Advance Guide on Exporting Code Signing Certificate (Windows)