0

If I work for a company that wants to sign its own certificates for its website, documents and software it writes, is it possible? I have read a couple of post on here from around 10/8 years ago but has it changed much since then?

Is it any more financially obtainable to acquire some sort of valid signing certificate than it was several years ago?

Also, if my company starts to sign their own SSL certificates but then wants to start signing official documents and their own code releases, would I need separate certificates for all?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Definity
  • 109
  • 1
  • TLS certificate and code-signing certificates are very different things... – schroeder Feb 15 '22 at 11:31
  • 1
    What posts are you referring to? It helps to reference the things you mention. – schroeder Feb 15 '22 at 11:31
  • https://security.stackexchange.com/questions/47267/can-i-buy-a-signing-valid-certificate-for-internal-use?answertab=active#tab-top – Definity Feb 15 '22 at 11:58
  • That post is not relevant to what you asked – schroeder Feb 15 '22 at 12:01
  • Is there much difference from certificates? SSL vs Code signing? – Definity Feb 15 '22 at 12:41
  • Quite a lot ... https://www.digicert.com/blog/everything-you-need-to-know-about-code-signing-vs-tls-ssl-certificates#:~:text=Code%20signing%20certificates%20are%20used%20to%20encrypt%20software%2C%20whereas%20TLS,them%20from%20using%20your%20services. That link is the top hit for the google query: https://www.google.com/search?q=difference+between+tls+certificate+and+code+signing+certificate – schroeder Feb 15 '22 at 12:58
  • Just to clearify. There is no technical difference between a TLS certificate and a Code Signing Certificate, there both X.509 certificates. There is a huge organizational difference between the 2 though. In each certificate there is a field that states what the intended use is for that certificate… those differ. Also who will except what certificate when differs. The only way for a organization to make both themselves, is by becoming a official CA… with all the costs and time that entails. – LvB Feb 15 '22 at 14:20
  • @schroeder: I do not really agree. They are all x509 certificates. What matters from that point are the declared usages (contained in the certificate) and the procedure used to build and deliver them that could tie them or not to an identified person. But a company could decide to run its own PKI for its internal usage and for its identified customers and sign and deliver its TLS certificates and signing certificates exactly the same way. – Serge Ballesta Feb 15 '22 at 14:23
  • @LvB Running a CA is not a technical problem, You can find software featuring it for no cost. The 2 major question is whether you need implicit validation by major browsers out of the box which is likely to be blocking, and whether you intend the certificates to have a legal value which requires a *trusted third party* (no one can be proof for themselves) – Serge Ballesta Feb 15 '22 at 14:29
  • @SergeBallesta running a CA that is trusted by others, is a huge investment. Yes you can get FOSS software to run it… but you also need to invest into a HSM and airgapping… while also building trust and transparency. It’s not a turnkey thing to do… failing to do this would make it only a matter of time until someone duplicates your root keys…. And than all bets are off. There is much more than just the legal issues and the practical issues. – LvB Feb 15 '22 at 14:33
  • @LvB We almost agree. The hard part is *trusted by others*. And specifically trusted by major browsers. For example, when a government of a country issues a decree, it can be opposed to any court in the country. And a lot of governmental administrations have internal PKI, that can even be used in legal courts, so the procedures are deemed correct by lawyers. And AFAIK, there root keys have not been compromised. But are not trusted by browsers... – Serge Ballesta Feb 15 '22 at 14:42
  • Um, they are both prime numbers, too. But that's not relevant to the OP's desires. – schroeder Feb 15 '22 at 14:45
  • @SergeBallesta but they are trusted by others. (And if they follow federal guidelines, if taking the USA as an example, they use a hardware HSM and air gaped root CA. It all revolves around trust. And not specifically if browsers trust it. But if the users trust it (Ea… the users IT department adds the certs to the trusted parties section of there OS). For software we must also consider the target os . Like for Debian, we can use our own keys. But for windows they must be accepted by Microsoft. – LvB Feb 15 '22 at 15:51
  • @LvB; No. The user (or more precisely the admin) can add CA certificates in a Windows system. This is the way organizations can use their own PKI by installing their own certificates on corporate machines. But as soon as public users are involved, we have to use certificates present in the default lists of browsers. If we do not, the casual user will trust their browser... – Serge Ballesta Feb 15 '22 at 17:37
  • @SergeBallesta the admin still has to trust you…. You can’t go “No”. Also, to run signed software on a Microsoft Windows, you need a signature accepted by Microsoft… adding it to the CA list does not make your software trusted…. (So it’s treated as untrusted) this is not the same as the Dialog you get about “Unknown Developer” you also can get. (1 example where this difference matters is with kernel modules. Only signed and accepted modules can be loaded.) – LvB Feb 15 '22 at 17:57

0 Answers0