Renewing Expired Code Signing Certificates

TL;DR

No, you generally cannot directly renew an expired code signing certificate. You need to request a new one. However, the process is usually straightforward and your Certificate Authority (CA) will guide you through it.

Step-by-Step Guide: Renewing Expired Code Signing

1. Check Expiration Date: Before attempting any renewal, confirm the certificate has actually expired. You can do this in Windows by double-clicking the certificate (usually found under Digital Signatures or through Certificate Manager).
2. Contact Your CA: The first step is to contact your current Certificate Authority (e.g., DigiCert, Sectigo, GlobalSign). They handle the renewal process. Most CAs have online portals for this purpose.
3. Generate a New Certificate Signing Request (CSR): You’ll need to create a new CSR. This is a text file containing information about your company and application.
   • Using OpenSSL: If you’re comfortable with the command line:

     openssl req -new -keyout yourdomain.key -out yourdomain.csr

     Follow the prompts to enter your details (Country Name, State/Province, Locality, Organization Name, Common Name – usually your company name or application name).

   • Using IIS Manager: If you’re using Internet Information Services:
     • Open IIS Manager.
     • Select the server in the Connections pane.
     • Double-click ‘Server Certificates’.
     • Click ‘Create Certificate Request…’.
     • Enter your details and save the CSR file.
4. Submit the CSR to Your CA: Log in to your CA’s portal and follow their instructions for submitting the new CSR. They will likely ask you to verify your identity again (e.g., via email or phone).
5. Validation Process: The CA will validate your information. This can take anywhere from a few hours to several days, depending on the certificate type and CA’s workload.
6. Download & Install the New Certificate: Once validated, you’ll be able to download the new code signing certificate. Follow the CA’s instructions for installing it.
   • Typically involves importing the certificate into your Windows Certificate Store (using MMC – Microsoft Management Console).
   • You may need to restart any applications that use the certificate.
7. Revoke the Old Certificate: Important! Immediately revoke your expired certificate through your CA’s portal. This prevents malicious actors from potentially using it if compromised.

Important Considerations

• Timelines: Start the renewal process well before your current certificate expires (at least a month in advance) to avoid any disruption to signing operations.
• Certificate Types: Different code signing certificates have different validation levels and requirements. Ensure you request the correct type for your needs.
• Key Storage: Protect your private key securely! Losing it means you’ll need a completely new certificate, not just a renewal. Consider using a Hardware Security Module (HSM) for added security.
• cyber security: Regularly check the revocation status of certificates used by third-party software to protect against compromised code.