Tips on getting a code signing certificate

I got my own certificate for signing AIR applications a couple of weeks ago, so I thought I’d share my experience in order to help others more easily navigate the process. My intention is not to provide an exhaustive tutorial on code signing or the process of obtaining a certificate (if that’s what you’re looking for, see Todd Prekaski’s article entitled Digitally Signing Adobe AIR Applications). Rather, I just want to list a few things you should know about before starting the process in order to ensure that it goes smoothly.

I decided to get my certificate from Thawte, but you can also use VeriSign (and soon other Certificate Authorities who Adobe is working with). Both Thawte and VeriSign issue code-signing certificates to organizations as opposed to individuals, so the tips below assume that you already have a corporate entity established. We are currently working with CAs who can issue personal certificates, so if you don’t have a business, you will soon be able to get a certificate issued in your own name.

If you decide to get your certificate through Thawte, here are some important things to know:

  • Use Firefox. Firefox has a certificate manager that allows you to easily export your certificate as a P12 file which is what you need in order to sign your applications. Yes, it’s sort of a strange requirement, but it makes the process much easier.
  • Use an email address other than Gmail, Hotmail, or Yahoo. Thawte will not issue a certificate to anyone using an address from a free email service. I tried to talk them into it (I love Gmail), but they wouldn’t budge. I ended up having to use my Watch Report email address which they eventually accepted, however they would have rather I used an email address associated with the company’s domain.
  • Set up a corporate web page. My main business is Watch Report, but my company is called Cantrell Media Company. Since Watch Report is well established, I never bothered setting up a separate corporate web site. Thawte wanted one, so I threw together christiancantrell.com in about five minutes. It’s not pretty, but it met the requirement.
  • Get a business phone number, and list it publicly. I work out of my home, so I have a business line (I almost always use my mobile phone, but it’s nice to have a landline to fall back on). However, when I got the second line, I didn’t bother to create a corporate account with Verizon. Rather, I have both my home and business lines listed under my personal name. Thawte doesn’t like this. They either want to see a phone bill with your business number and business name on it (which I couldn’t produce), or they want to see your business and your business number listed in a public directory. I listed Cantrell Media Company on yellowpages.com which took a few days, but is completely free. Thawte was happy with that. (Here’s the listing.)

Those are all the specific issues that caused me problems. If you own a business, and take all four points above into account when applying for your code-signing certificate, you should be able to obtain one within a couple of days with no problem at all.