Can I create my own self-signed code signing certificate?

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 2.33)
Loading...

Self-signed code signing certificates must be used for testing only, here’s why…

While you technically can self-sign a Code Signing certificate, a self-signed code signing certificate won’t work for its intended purpose.

Code Signing is extremely important, and it’s misuse could potentially be catastrophic, so there are some good reasons why you can’t create a self-signed code signing certificate.

Self-Signed Code Certificate

One of the biggest functions of Code Signing is browser trust

The process for purchasing a Code Signing certificate requires an organization or an individual to undergo validation. This is a way for the issuing Certificate Authority to vet you and make sure you’re legitimate. The browsers don’t trust your software, but they trust the CAs. When a CA issues you a Code Signing certificate that lets you sign your software, the browsers will trust it because they can see the certificate the private key is paired with and they trust the entity that issued it. The CA is essentially vouching for you.

If a CA doesn’t issue the Code Signing certificate, why should a browser trust your signature?

Good question. It shouldn’t. You can’t vouch for yourself, that doesn’t work anywhere– especially not on the internet. Browsers are skeptical by default, designed to only trust a select few entities. You are not one of those entities. You can’t just sign your own Code Signing certificate in the same way that you can’t just issue yourself a driver’s license. It’s only good if it comes from someone trusted.

What happens if I self-sign my code signing certificate?

If you distribute your software with a self-signed certificate, your users will get various warnings when they attempt to install the software. Here’s one example warning screen users will see on Windows if your executable is self-signed:

Unknown Publisher Install Warning - Self-Signed Code Signing Certificate

What happens if I just don’t Code Sign at all?

Pretty much the same thing that would have happened if you created a self-signed code signing certificate. As soon as anyone tries to download your software the browser will see that it wasn’t issued by a trusted entity and issue you a browser error. Nobody clicks through a browser error about potentially malicious software. So just assume that your conversion will fail and the person will leave the site. That’s not good.

Code Signing doesn’t have to break the bank

Code Signing certificates aren’t as cost prohibitive as you might think. And Comodo also sells Individual certificates for developers that work independently. Take a look at some of our Code Signing options, and remember– if you find a better price we’ll beat it.

Get The Lowest Price On Comodo Code Signing Certificates

It's only fair to share...
Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin