Code signing certificates have become so expensive...

[Vincent Parrett 781]

I had a terrible experience with Certum - I bought a sim and card reader from them for testing Signotaur - however I didn't purchase a certificate - I can test with self signed certificates - however they refused to provide the pin to the card because I didn't purchase a certificate - rendering it completely useless. I do not recommend them at all. 

[Vincent Parrett 781]

9 hours ago, Anders Melander said:

But how do they then get the certificate onto my token if I already have a token?

@Angus Robertson answered that question - using a certificate signing request - like we used to do for SSL certs before LetsEncrypt came along. Whether it is the same certificate (ie with the same thumbprint) or not I am unsure.

 

[Patrick PREMARTIN 87]

9 hours ago, Vincent Parrett said:

I had a terrible experience with Certum - I bought a sim and card reader from them for testing Signotaur - however I didn't purchase a certificate - I can test with self signed certificates - however they refused to provide the pin to the card because I didn't purchase a certificate - rendering it completely useless. I do not recommend them at all. 

Strange, the SIM I received didn't have a PIN, I had to set one with their software.

[Vincent Parrett 781]

2 hours ago, Patrick PREMARTIN said:

Strange, the SIM I received didn't have a PIN, I had to set one with their software.

Mine didn't have a pin, but when I try to set a pin it asks for the PUK - which I do not have and they will not provide. Each email to their support results in 2 emails - an auto responder and a canned response telling me to login to my account - all pointless since there are no certs in my account and no puk available. Wasted $200 for nothing.

[DelphiUdIT 195]

2 hours ago, Patrick PREMARTIN said:

Strange, the SIM I received didn't have a PIN, I had to set one with their software.

But this means that you can use the sim without PIN ? Of course, not maximun security, but certainly a minimal annoyance.

 

I'll have the "kit" this evening and tomorrow I'll see the various options for playing with it.

Edited December 19, 2024 by DelphiUdIT

[Patrick PREMARTIN 87]

33 minutes ago, DelphiUdIT said:

But this means that you can use the sim without PIN ? Of course, not maximun security, but certainly a minimal annoyance.

I don't know for the SIM itself, but the software need one and ask for it before doing anything with a certificate

[DelphiUdIT 195]

17 hours ago, Vincent Parrett said:

I had a terrible experience with Certum - I bought a sim and card reader from them for testing Signotaur - however I didn't purchase a certificate - I can test with self signed certificates - however they refused to provide the pin to the card because I didn't purchase a certificate - rendering it completely useless. I do not recommend them at all. 

This is a link for software to initialize the sim card: https://support.certum.eu/en/cert-offer-card-manager/

 

According to this:

 

I will do it now with my new set ...

 

EDIT: I can confirm that the sim card can be initialize with the software (link provided above) and you can SET your free fantasy PIN and PUK.

Edited December 19, 2024 by DelphiUdIT

[DelphiUdIT 195]

I finally received the EV certificate.
It was an exhausting journey, where every day the certification body (Certum) asked me for a document, a clarification or something else.
Having to follow the complete path (I had never purchased any certificate from them) they rightly verified everything and even more than everything.

The installation of the certificate (keys and certificate itself) on the hardware key was done through their control panel via browser in two stages.

Everything worked the first time and the cost was in line with that of direct competitors (at least for the three-year solution).

The hardware key is seen directly through the "storage" of Windows certificates and so the certificate is visible and usable by any application.

In the Rad Studio IDE I inserted a new Tool (under "tools menu") that allows me to immediately sign the executable file (or DLL) compiled from the project.

Now the second step is to verify with Microsoft the pairing for signing the drivers.

[Vincent Parrett 781]

I decided to purchase a 3yr OV certificate from SSL.com and load it onto a Yubikey token to be 100% sure they work with Signotaur (have tested with self signed certs before). 

 

I had 2 tokens already and bought another one locally - SSL.com are overcharging a lot for them (USD$297 vs USD$106 locally).  You need the FIPS versions (e.g 5C FIPS )  for code signing.  Note that by default on the order page, they add their cloud service to the price - make sure to de-select that! 

 

You do have to go through the process of generating a Certificate Signing Request and then exporting the the attestation certificate and intermediate from the token to upload to their portal. This is quite well documented and pretty easy to follow. Their web portal is pretty horrible (tiny text and links - even with my glasses on). 

 

I had some issues initially - the first time they generated an RSA cert instead of an ECDSA (yubikey only supports 2048bit RSA, code signing needs at least 3072bit) - contacted support and then went through the attestation process again, eventually got an ECDSA cert - but that did not work either - signtool sign said success but verify said failed.

 

Important - I discovered that if you change the yubikey pin/puk/managementpin after doing the attestation and before importing the cert, that will cause it to fail (doh!) - so had to go through the process again.  It only takes a few minutes on your end, then an email to support for them to generated the cert again - and then you download and import the certificate onto the token. 

 

Remember to unplug and plug the token in again after importing (this triggers the import of the public key into the windows certificate store). Third time lucky, everything works fine.

 

Note that to use Yubikeys with Signtool - you need to have the MiniDriver installed (you will get the smartcard pin prompt when calling sign tool) - you don't need the mini driver with Signotaur - you just need the PIV Tool (which has the pkcs#11 driver).

 

I then enquired about backup tokens, and was told to delete the attestation on their portal and redo it for the backup token. So over the course of a few days and some back and forth (timezones make everything slow down under) - I now have 3 yubkey tokens with my certificate installed. This gives me a lot of comfort as I have a backup in case of hardware failure or theft - I have a Nano token which I can deploy in the data center where are servers live - much less likely to be stolen than the safenet token (which has a bright blue led that screams "take me"). 

 

Also thanks to @DelphiUdIT we have now confirmed that Signotaur also works fine with Certum tokens.  

Edited yesterday at 07:22 AM by Vincent Parrett
typo

[Angus Robertson 578]

I renewed my Sectigo code signing certificate last Saturday, submitted documents on Monday, which the web site said were rejected, yet the order was approved and shipped Tuesday morning via UPS, and arrived Thursday, quite impressed. 

 

Although the Sectigo London office is a few miles away, the token was shipped from Sectigo's Lille office in France to London, with an invoice valuing the 'electronic document' at $10 so no customs duty to pay.  Perhaps Sectigo has an arrangement with Thales (a large French company)  who sell the Safenet tokens to provision them as well.   

 

Plugged the token into my PC, and the new certificate appears in the Windows Store, as reported by the ICS Delphi PemTool. 

 

All much less painful than I was expecting, except the massive cost increase over electronic certificates, and no invoice yet from K Software. 

 

Angus