Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security

Digital Certificate - Request a Code Signing Certificate

This article explains how to request a Code Signing Certificate (also known as a Software Publishing Certificate) which can be used to digitally sign software.

IT Services provides free Code Signing Certificates via the InCommon Certificate Service. Code signing certificates (also known as Software Publishing Certificates) can be used to digitally sign software executables and scripts. The digital signature can help users of the signed software to confirm that the software is genuine by authenticating the source of the software (i.e. who published it) and verifying the integrity of the content (i.e. the code hasn't been modified since signed).

Uses of Code Signing Certificates include:

  • Microsoft Authenticode
  • signing Java jar files
  • signing Adobe AIR applications

Policy for Code Signing Certificates

Code Signing Certificates may be issued to departments or similar entities on campus or in some circumstances to employees (staff or faculty) as individuals. Only one certificate will be allowed per individual or entity at any given time. Since code signed through this process will represent the University of Chicago, certificates will only be issued to assist in publishing code that furthers the mission of the University.

In order to enforce a unique mapping of a single entity per certificate we require that a valid campus email address be provided and added to the certificate as the Subject Alternative Name. Certificates for departments or similar entities will list that entity on the certificate as an Organization Unit. Although details such as email addresses and departmental names will be listed on the certificate most software used to verify CSC will only display the Common Name of the cert which will always be the Organization, which is in our case "University of Chicago."

Individuals or entities response for a CSC should take responsible measures to protect the certificate and associated keys:

  • the certificate and private key should be stored on a secure system that has access controls to limit use to only trusted individuals
  • the private key should be protected by a password that has strong complexity and a minimum of 12 characters
  • if the security of the CSC is breached in any way the party responsible for the CSC should contact IT Security immediately
  • if the individual or entity loses affiliation with the university (e.g. change in employment status for individual, renaming or reorganization of an administrative entity) the certificate should no longer be used

The InCommon Registration Authority Officers for our campus may revoke a certificate if there is evidence of misuse or concerns regarding the security of its handling. In that event, you will be notified and must immediately stop using the certificate.

How to Request a Code Signing Certificate

  1. You should email your request for a code signing cert to certs@uchicago.edu with the following information:
    • Identifying Information
    • for faculty/staff as individuals: full contact information for person requesting certificate (full name, campus email, campus phone, campus mailing address)
    • for departments or similar entities (not individuals): official name of department (or similar entity) with full contact information including campus email, campus phone number, and campus mailing address as well as contact information for the person requesting the certificate
    • brief statement on plans for using the CSC (i.e. why do you want a certificate?)
    • state that you understand and accept the policy for Code Signing Certificates as described on this page
  2. IT Security will review the request and contact you to discuss. For departmental requests IT Security may also need to speak with an administrator for that that department.
  3. If your request is approved, the email address listed in the certificate will receive an invitation to request a certificate. That email will provide a URL for you to visit to accept the invitation and generate the cryptographic material needed for the certificate request. Your private key will be added to the certificate store for your system (for IE users) or your browser (non-IE users) at this time but you do not yet have a certificate. Note that the invitation email will be sent only to that account so you must be able to access that account. Please see the notes below on phishing and browser choice.
  4. Comodo will take up to two business days to review your request. Comodo will then sign your certificate and issue your certificate to you via a link in an email. Before browsing to the link please note these critical points:
    1. Use the same system/browser for accepting the invitation and downloading the issued certificate.
    2. Use a supported browser. Comodo recommends that you use Windows and Internet Explorer but IE is not required. Most other modern browsers will work except for Google Chrome browser which will not work. Please note that if you do not use IE the downloaded certificate will be located only in the certificate store for that browser (rather than the system store). In any case, you can export the certificate to move it to the appropriate certificate store.
  5. You now have the only copy of the private key. You should immediately create a password-protected backup of your certificate and keys and store it in a secure place. Most browsers will create that backup in PCKS#12 format. Instructions for common browsers are available:

If at any time you have questions about Code Signing Certificates please email certs@uchicago.edu.

Phishing Security Warning

The InCommon certificate service relies on clickable web links in email. Since that is a phishing hazard please copy and paste the URL into a browser and then review the URL prior to use. Please verify that the URL uses SSL (https not http) with a valid certificate and uses the cert-manager.com domain. If you have any questions about the validity of an email you receive, please contact certs@uchicago.edu before proceeding.

See Also:




Keywords:Authenticode csc sign signature ca cert x509 x.509 "code signing" "software publish" "certificate authority" incommon comodo tls pki   Doc ID:19491
Owner:James C.Group:University of Chicago
Created:2011-08-02 18:00 CSTUpdated:2015-04-29 12:33 CST
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  1   0