Can I Use An SSL Certificate For Code Signing?

SSL/TLS and Code Signing are both X.509 certificates but cannot be used interchangeably

SSL/TLS Certificates and Code Signing certificates are both types of digital certificates that make use of public key encryption, and Comodo offers both– but they do very different things. So no, you cannot use an SSL Certificate to sign scripts and executables and you cannot secure your website’s connections with a Code Signing certificate. You also can’t sign emails and documents with either, but let’s not add Personal Authentication to this discussion.

Why can’t I use an SSL Certificate to sign code?

SSL and Code Signing are two very different uses for encryption. SSL is a protocol for securing communication in real-time. Code signing is a time-stamped signature that can be used to verify publisher identity and software integrity. Outside of the fact that both make use of public key encryption, there’s not much other overlap.

SSL vs Code Signing Technical Details

SSL certificates and code signing certificates are both X.509 digital certificates. At their core, they’re certificates created using the exact same standard. So why can’t they be used interchangeably?

Certificates specify their allowed usage

Certificates are issued with their intended purpose coded and signed into the certificate itself, in the Extended Key Usage field.

For example, here is the SSL certificate on this website, which specifies that it’s to be used for web server authentication and client authentication:

A code signing certificate specifies Code Signing as the intended usage in the Extended Key Usage extension, like this:

According to the X.509 certificate specification, you cannot use a certificate for a purpose other than what is specified:

This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension…If the extension is present, then the certificate MUST only be used for one of the purposes indicated.

Attempting to use an SSL certificate for code signing will result in errors. And if your software users are getting errors, that defeats the primary purpose of using a code signing certificate.

The validation process is different

The two types of certificates have different steps to create a CSR & private key, complete validation, and generate the certificate. You won’t be able to correctly complete an SSL certificate CSR, validation and generation process when you’re signing code (or vice versa).

What does an SSL Certificate do?

SSL/TLS is a protocol that encrypts the connection between servers that host websites and the clients (web browsers) that visit them. This is accomplished with a piece of software called an SSL Certificate that authenticates the server it’s installed on with clients and helps them connect securely via HTTPS. In a nutshell: SSL certificate facilitate secure (encrypted) connections between clients and servers.

What does a Code Signing Certificate do?

Code Signing certificates are pieces of software that let you digitally sign a script or executable. The digital signature gets hashed along with a timestamp and encrypted into a signature block. When users attempt to download your signed software, their browser filter or antivirus program will be able to verify your identity and will allow the download to proceed. Without Code Signing, the user would receive a warning about the software originating from an unknown source. Research shows those users typically cancel the download. By Code Signing your software not only will you bypass those warnings, but you provide a way for the user’s system to verify the integrity of the software, too.