K-Software

[Nigel Thomas 43]

I've just dug out the old K-Software "renewal" offer, appending it here just for info.

 

Quote

On 2017-08-17 we received order number XXX for a Code Signing Certificate for the name XXX 

This certificate will expire on 2021-08-17

Because code signing certificates have to be re-keyed every time and the expiration dates are encrypted into the certificate directly, there isn't a true renewal process for code signing like there are for some other types of SSL certificates. 

DON'T PANIC!  

Step 1 : Place a new order for an OV code signing certificate from our website : https://www.ksoftware.net/ - names, email addresses or postal addresses can be changed at that point. Use the coupon code XXX for a 10% discount on any term. To make the process as smooth as possible, we recommend  using 'real' IE -- that is the only browser that supports secure key generation these days (the certificate is in NO way tied to IE afterward, it is just the best tool to generate a key and CSR automatically). 

Step 2 : After the new order is in, open a ticket with the Sectigo team from https://codesigning.ksoftware.net/comticket and let them know that you had a previous code signing certificate, making sure you include both your old and new order numbers (the old order number is above). They'll reply back and ask if any additional information is needed. 

Step 3 : Sectigo will issue the new certificate directly to you via email, don't forget to collect on the same PC/Browser that you used in Step 1, then you can export to a PFX/P12 file with the instructions from here : http://codesigning.ksoftware.net/export 

Please feel free to reply to this email or give me a call if you have any questions or concerns.

--
- Mitchell Vincent
- K Software

 

[astral2k5 2]

We've also used for the last 10 years certificates from Comodo(now Sectigo) through Tucows and then KSoftware.

But after reading this post, checking what's with KSoftware I saw the bad reviews on trustpilot for the last year and other blog posts.

 

So I began to search for a safe and better alternative, and found 2:  ssl.com (they have their own CA from what I understood) and ssl2buy.com (they use Sectigo CA and DIGICERT CA),

SSL.COM offers OV Code Signing Certificates for up to 10 years (but the certificate is for 3 years and you need to get verified again for each 3 year period) the price seems correct, not cheap.

I liked that they will offer the option to use your own FIPS YubiKey with their certificate after 1st June 2023.

 

The second option I found and decided to use is ssl2buy.com (they have good chat support and good reviews on trustpilot), I ordered the 3 years OV code certificate and hope to have it in a 1-2 days (already in contact with Sectigo for callback)

I also got a good deal for 42.90$/year on the 3 year and for my first order an extra 10% so 116$ 🙂 really cheap. 

You can find the special deal on this page, is valid till April 30th. On Sectigo page they say they allow till 24th Apr orders without the FIPS Token.

https://www.ssl2buy.com/cheap-code-signing-certificates-ads

Hope this helps others finding a reliable alternative to KSoftware.

 

P.S: After you place the order, they send an email where you generate the CSR code (doesn't matter which browser you use), make sure you save your private key.

Edited April 19, 2023 by astral2k5

[Vincent Parrett 930]

If you use CI or automated builds, avoid using yubikeys as there is no way with the client software (built in windows smartkey client) to automate the code signing - you cannot get past the prompt for the certificate password. 

[astral2k5 2]

11 hours ago, Vincent Parrett said:

If you use CI or automated builds, avoid using yubikeys as there is no way with the client software (built in windows smartkey client) to automate the code signing - you cannot get past the prompt for the certificate password. 

Yes, that's why I decided to renew the OV certificate 8 months in advance, so I have another 3 years without a token 🙂

Edited April 20, 2023 by astral2k5

[Rollo62 639]

Better check whats going on with USB-Token requirements.

I'M still fine, have 2.5 years validity left, and hope then after that it will be all smooth and easy.

 

[KenR 30]

This will be such a pain in the **** - I also renewed early for 3 years to avoid it for now!

[rvk 47]

I also just renewed for 3 years this week.

If all goes correctly I will be getting a fourth year for free (including a usb-token) according to the latest offer from Sectigo.

 

[Angus Robertson 710]

Just had an email from Sectigo saying that K-Software ceased operations in October 2025.  The web site seems to disappeared. 

 

Surprised it did not happen earlier, I never got an invoice for my last order 12 months ago, but the code signing dongle arrived safely and has another 12 months before expiry.  

 

Sectigo is offering a 25%  discount for order placed in the next month, using code KSOFTWARE25OFF, but that is still a lot more than I paid 12 months ago.

 

Angus

 

[Rollo62 639]

@Angus Robertson

Yes, you were a bit faster hitting send than me

Quote

As you may already know, our partner K-Software ceased operations in October 2025. To ensure there is no disruption to your security or upcoming renewals, Sectigo is proactively stepping in to provide you with direct, continued support. 

 

Please note that your existing certificates remain valid and fully supported. However, all future certificate renewals or new certificate requests will now be handled directly by Sectigo.

 

For assistance during this transition and to help manage your certificates, please click here for more information or connect with our certificate & security experts on the numbers below. Sectigo will honor the latest 2025 K-Software pricing published on their website, ensuring a seamless, and consistent experience moving forward.  

 

 

By working directly with Sectigo, you’ll continue to benefit from: 

• The same trusted certificate products used through the K-Software program. 
• Streamlined validation and issuance processes, minimizing administrative overhead.
• Dedicated technical and account support from our team of experts.

Our team is here to ensure a smooth transition and to provide the same high-quality products and support you’ve relied on. If you have questions about your existing certificates, need assistance with an upcoming renewal, or would like us to personally walk you through your options, click here for more information or simply reply to this email or contact us on the numbers below. 

 

I had bought a 3 years license, to get a little more time until the USB tokens questions were settled.
My license should be valid until 03/2026.
I've paid for the 3yr license in 2023 209 USD and now the best deal with KSOFTWARE25OFF (which is same as black friday -25%OFF),  they ask for 981.00USD and the non-rebate cost is 1,308.00USD.

This means I better look for an Sectigo-Alternative.

Now I'm unsure what happens with my existing rest-license, how will Sectigo handle it, for example if I use the kSign.exe?

When I sign something with kSign.exe, which already was deprecated, this still works and shows certificate info "Sectigo Public Code Signing CA R36",
everything looks allright here.

If anybody has more insight, what goes and what doesn't, please let me know.
 

[Angus Robertson 710]

I've never used KSign.exe. just the usual signtool.exe which works with the dongle.  

 

Might look again at Microsoft Azure signing, they use certificates that expire after one day, and create a new one each time you need it.  But not for another six months. 

 

Maybe Google Trust Services will move into signing certificates, but doubt they will be free like web server certificates.  

 

Angus

 

 

Edited Wednesday at 06:24 PM by Angus Robertson

[corneliusdavid 292]

I got the same email this morning. I've been looking around for a cheaper alternative and found SSL.com. It looks like they support Yubikeys; I have an old one but can't find information about how to use it with their signing process--perhaps it's part of the request?

[Vincent Parrett 930]

SSL.com use Yubikeys and issue ECDSA keys - which work fine - however they are sneaky, even though I declined their offer of their cloud service during purchase, they signed me up anyway and then starting billing me monthly - it took several months to sort out! 

 

You can use your own Yubikey with ssl.com - I did just that (works out a lot cheaper) and got the same cert on 3 yubikeys (for backup and dev purposes) at no extra cost, you just have to go through the whole attestation process multiple times using their terrible web interface.

 

https://www.ssl.com/how-to/key-generation-and-attestation-with-yubikey/

 

I am not sure what versions of Yubikey they support - I used 5c FIPS

 

NOTE : if you use ClickOnce do not get an ECDSA key (not supported by MS) - which is what you will get on a Yubikey with firmware < 5.7.

 

Yubikeys with firmware >= 5.7 do support 3072bit RSA keys, however they are hard to find (I have been trying to source one for a while) - if your chosen CA uses Yubikeys check with them first (and then double check, they are terrible at providing accurate info in my experience). 

 

I also bought a certificate from 

 

https://www.gogetssl.com/code-signing-ssl/

 

I got their own brand cert (non EV) which is in fact issued by Digicert (they hand the order off to them) - that is an RSA 3072 cert on a Thales Safenet 5110 token. 

 

Once you get your shiny new certificate/token, you will come up against the issue with it prompting for a passsword during signing sessions. The number of prompts depends on the tokens - Yubikey prompts more often than Safenet. You can easily work around that using a Code Signing Server like Signotaur which just happens to be 40% off until Dec 3rd

 

Edited Wednesday at 09:33 PM by Vincent Parrett
typo

[corneliusdavid 292]

14 minutes ago, Vincent Parrett said:

You can use your own Yubikey with ssl.com

Thank you very much--lots of good information. I just checked and my (very old) Yubikey is Firmware 4.3.7. I don't know a lot about Yubikeys and I don't have a great need for a signing code anymore but this sounds like the cheapest way to go, even if it is a little cumbersome. I had also looked at gogetssl.com from one of your other posts on this subject, but 3x the price.

[Rollo62 639]

12 hours ago, Angus Robertson said:

I've never used KSign.exe. just the usual signtool.exe which works with the dongle. 

That is right of course, this was just a 2 minute test on how the signing might behave after closing down K-Software, and if it still works as before, which seems to be OK.
 

 

8 hours ago, Vincent Parrett said:

SSL.com use Yubikeys and issue ECDSA keys - which work fine - 

...

https://www.ssl.com/how-to/key-generation-and-attestation-with-yubikey/

...

I am not sure what versions of Yubikey they support - I used 5c FIPS

...

NOTE : if you use ClickOnce do not get an ECDSA key (not supported by MS) - which is what you will get on a Yubikey with firmware < 5.7.

...

Yubikeys with firmware >= 5.7 do support 3072bit RSA keys, however they are hard to find (I have been trying to source one for a while) - if your chosen CA uses Yubikeys check with them first (and then double check, they are terrible at providing accurate info in my experience). 

...

Yes, perhaps SSL is the right way to go.
At least their pricing seems not that unrealistic.
https://www.ssl.com/certificates/code-signing/buy/
Comparing a 3yr plan 3 years - $109.65/yr (save 15%) they end up at 330 USD.

Plus the Yubikey itself, wich is a but overpriced with 279USD, which makes a total of 609 USD, at least only hopefully in the initial order.
While I get one here for 101 EUR incl. VAT. which is rougly 98USD, which could reduce that to nearly 428USD
https://www.yubico.com/de/product/yubikey-5-fips-series/yubikey-5c-nfc-fips/

 

Would be great to know if all compatible Yubikeys can be used with SSL, or if they have some specific catch included, so that we need the expensive key from them.

Additionally they note about eSigner Tier, which seems to be a kind of subscription like for 20USD/Month for 20 Signings with 1 Credential or 64USD/Month for 100 Signings plus 5 Certificates.
I have not read the fineprint yet, but it looks as if you would need such subscription too.

Is that eSigner Tier additionally needed, or is it a different way beside usual yearly certificates?

This seems to me like a very clever marketing strategy, to split cost into more granular parts and make it seem more attractive as it possibly is, my respect for that smart business strategy.
But on the other side its just a lot of money to pay still for a pure virtual service, with close to 0 USD production cost, but thats a different story.

They also offer 10yr strategies, where I don't know if the world as we know it still exists.
Nevertheless, perhaps during that time the YubiKey hardware may have the need to change too, since such chips and firmware are not build from granite. 

As long as an automation with Singnotaur or signtools is possible and no "fingerprint" or the like is needed on a Yubikey, this is perhaps the way to go.

[Angus Robertson 710]

11 hours ago, Vincent Parrett said:

Once you get your shiny new certificate/token, you will come up against the issue with it prompting for a passsword during signing sessions. The number of prompts depends on the tokens - Yubikey prompts more often than Safenet.

I have a Thales SafeNet token and use the signtool /csp and /kc commands which skip all password prompts.  Also discovered signtool allows multlple files to be signed with a single command, including wild cards, so I can sign all the OpenSSL files with one command line. 

 

I'm about to add support for Yubikeys and FIDO to ICS, to support WebAuthn, so will be learning the hard way about those tokens. 

 

Angus