Tips on getting a code signing certificate

I got my own certificate for signing AIR applications a couple of weeks ago, so I thought I’d share my experience in order to help others more easily navigate the process. My intention is not to provide an exhaustive tutorial on code signing or the process of obtaining a certificate (if that’s what you’re looking for, see Todd Prekaski’s article entitled Digitally Signing Adobe AIR Applications). Rather, I just want to list a few things you should know about before starting the process in order to ensure that it goes smoothly.

I decided to get my certificate from Thawte, but you can also use VeriSign (and soon other Certificate Authorities who Adobe is working with). Both Thawte and VeriSign issue code-signing certificates to organizations as opposed to individuals, so the tips below assume that you already have a corporate entity established. We are currently working with CAs who can issue personal certificates, so if you don’t have a business, you will soon be able to get a certificate issued in your own name.

If you decide to get your certificate through Thawte, here are some important things to know:

  • Use Firefox. Firefox has a certificate manager that allows you to easily export your certificate as a P12 file which is what you need in order to sign your applications. Yes, it’s sort of a strange requirement, but it makes the process much easier.
  • Use an email address other than Gmail, Hotmail, or Yahoo. Thawte will not issue a certificate to anyone using an address from a free email service. I tried to talk them into it (I love Gmail), but they wouldn’t budge. I ended up having to use my Watch Report email address which they eventually accepted, however they would have rather I used an email address associated with the company’s domain.
  • Set up a corporate web page. My main business is Watch Report, but my company is called Cantrell Media Company. Since Watch Report is well established, I never bothered setting up a separate corporate web site. Thawte wanted one, so I threw together christiancantrell.com in about five minutes. It’s not pretty, but it met the requirement.
  • Get a business phone number, and list it publicly. I work out of my home, so I have a business line (I almost always use my mobile phone, but it’s nice to have a landline to fall back on). However, when I got the second line, I didn’t bother to create a corporate account with Verizon. Rather, I have both my home and business lines listed under my personal name. Thawte doesn’t like this. They either want to see a phone bill with your business number and business name on it (which I couldn’t produce), or they want to see your business and your business number listed in a public directory. I listed Cantrell Media Company on yellowpages.com which took a few days, but is completely free. Thawte was happy with that. (Here’s the listing.)

Those are all the specific issues that caused me problems. If you own a business, and take all four points above into account when applying for your code-signing certificate, you should be able to obtain one within a couple of days with no problem at all.

10 Responses to Tips on getting a code signing certificate

  1. Good stuff Christian. There is also an excellent article on this on the Adobe Developer Connection at: http://www.adobe.com/devnet/air/articles/signing_air_applications.html

  2. Matt says:

    I’ve developed a demo using Air for an open source project. Because it is open source, I am not going to buy a certificate. I have tried signing my Air app using a Thawte freemail certificate (generally following the procedure in this article: http://www.dallaway.com/acad/webstart/). However, adt keeps throwing an error when I package it: not an X509 code-signing certificate. Strange that the procedure in the article is good enough to sign jar files, but not Air applications. As a last resort, I used openssl to convert the certificate to a p12 file. But no joy – adt still gives the same error.

  3. Dale Fraser says:

    I have purchased a cert, downloaded it through Firefox. But when I export, p12 doesn’t seem to be an option.

  4. Dale,Go to Preferences > Advanced > Encryption > View Certificates. Go to “Your Certificates”, select it, and choose “Backup”.That’s it!Christian

  5. Anil says:

    left out the most important parts1) kind of cert.2) how much?

  6. nile says:

    I’ve had some horrendous difficulty in getting a renewal on my cert from Thawte. The problem is IE simply doesn’t show the last page in the renewal process, so you never get issued with a public key. Thawte say the page is being blocked by the network – cannot be so – as we’ve tried various routers, and even tried from the local university – always the same result. I hope it gets sorted soon!

  7. Amgad says:

    You mentioned that you are currently working with CAs that can issue personal certificates. Could you please tell me who they are?

  8. I’ll do a new post on the current state of CAs and include information on getting “personal” certificates.Christian

  9. Thanks for this Christian – I will get a GoDaddy Code Signing Cert tonight becuase of this.

  10. Does chrome have a certificate manager that works as well as firefox’s?