Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security
Digital Certificate - Request a Code Signing Certificate
This article explains how to request a Code Signing Certificate (also known as a Software Publishing Certificate) which can be used to digitally sign software.
IT Services provides free Code Signing Certificates via the InCommon Certificate Service. Code signing certificates (also known as Software Publishing Certificates) can be used to digitally sign software executables and scripts. The digital signature can help users of the signed software to confirm that the software is genuine by authenticating the source of the software (i.e. who published it) and verifying the integrity of the content (i.e. the code hasn't been modified since signed).
Uses of Code Signing Certificates include:
- Microsoft Authenticode
- signing Java jar files
- signing Adobe AIR applications
Policy for Code Signing Certificates
Code Signing Certificates may be issued to departments or similar entities on campus or in some circumstances to employees (staff or faculty) as individuals. Only one certificate will be allowed per individual or entity at any given time. Since code signed through this process will represent the University of Chicago, certificates will only be issued to assist in publishing code that furthers the mission of the University.
In order to enforce a unique mapping of a single entity per certificate we require that a valid campus email address be provided and added to the certificate as the Subject Alternative Name. Certificates for departments or similar entities will list that entity on the certificate as an Organization Unit. Although details such as email addresses and departmental names will be listed on the certificate most software used to verify CSC will only display the Common Name of the cert which will always be the Organization, which is in our case "University of Chicago."
Individuals or entities response for a CSC should take responsible measures to protect the certificate and associated keys:
- the certificate and private key should be stored on a secure system that has access controls to limit use to only trusted individuals
- the private key should be protected by a password that has strong complexity and a minimum of 12 characters
- if the security of the CSC is breached in any way the party responsible for the CSC should contact IT Security immediately
- if the individual or entity loses affiliation with the university (e.g. change in employment status for individual, renaming or reorganization of an administrative entity) the certificate should no longer be used
The InCommon Registration Authority Officers for our campus may revoke a certificate if there is evidence of misuse or concerns regarding the security of its handling. In that event, you will be notified and must immediately stop using the certificate.
How to Request a Code Signing Certificate
- You should email your request for a code signing cert to email@example.com with the following information:
- Identifying Information
- for faculty/staff as individuals: full contact information for person requesting certificate (full name, campus email, campus phone, campus mailing address)
- for departments or similar entities (not individuals): official name of department (or similar entity) with full contact information including campus email, campus phone number, and campus mailing address as well as contact information for the person requesting the certificate
- brief statement on plans for using the CSC (i.e. why do you want a certificate?)
- state that you understand and accept the policy for Code Signing Certificates as described on this page
- Use the same system/browser for accepting the invitation and downloading the issued certificate.
- Use a supported browser. Comodo recommends that you use Windows and Internet Explorer but IE is not required. Most other modern browsers will work except for Google Chrome browser which will not work. Please note that if you do not use IE the downloaded certificate will be located only in the certificate store for that browser (rather than the system store). In any case, you can export the certificate to move it to the appropriate certificate store.
If at any time you have questions about Code Signing Certificates please email firstname.lastname@example.org.
Phishing Security Warning
The InCommon certificate service relies on clickable web links in email. Since that is a phishing hazard please copy and paste the URL into a browser and then review the URL prior to use. Please verify that the URL uses SSL (https not http) with a valid certificate and uses the cert-manager.com domain. If you have any questions about the validity of an email you receive, please contact email@example.com before proceeding.