Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL certificate same as signing certificate? [closed]

Tags:

ssl-certificate

code-signing-certificate

Is a code signing certificate the same as a SSL certificate?

like image 933
CJ7 Avatar asked Mar 02 '12 04:03

CJ7

People also ask

What's the difference between a signing certificate and a SSL certificate?

SSL certificates encrypt the data in transit between two systems. Code signing certificates do not encrypt the software. Rather, a code signing certificate hashes the executable and attaches the digital signature of the software publisher.

Can a code signing certificate be used for SSL?

So no, you cannot use an SSL Certificate to sign scripts and executables and you cannot secure your website's connections with a Code Signing certificate.

What is SSL code signing?

Code Signing is a method of using an X. 509 certificate to place a digital signature on a file, program, or software update which guarantees that the file or software has not been tampered with or compromised. It's a means of providing an added level of assurance to the user that the item is authentic and safe to use.

What happens when a signing certificate expires?

What Happens When Your Code Signing Certificate Expires. When a code signing certificate expires, unless you choose to timestamp your code, it means that any software or applications that have code signed by the certificate are no longer trusted by Microsoft SmartScreen, Google Safe Browsing, and antivirus programs.

1 Answers

A code signing certificate is essentially the same as a SSL certificate. Both are used to sign some data to prove that the data (software package or web page content) come from the "subject" of the certificate. There are 2 major differences that I can think of:

  1. They have different "enhanced key usage" OIDs in the certificate. A code signing certificate can only be used to sign a piece of code. Nothing prevents you from signing with the wrong certificate, but the client (e.g. a web browser) will check all "enhanced key usages" listed in the certificate and reject the signature if the certificate does not contain appropriate OID (e.g. "code signing"). This means it's possible for one certificate to have both "code signing" and "server authentication" OIDs so that it can be used for both scenarios. But for security reasons nobody should do that.

  2. SSL certificate becomes invalid once it expires. But code signing certificate gets some special treatment. For example, if you bought some software 10 years ago, the code signing certificate used to sign it probably expired today. But combined with a time stamping service, it's possible to prove the software package was properly signed 10 years ago.

like image 101
Haitao Li Avatar answered Oct 01 '22 19:10

Haitao Li
Sign in to Comment

Related questions

NSURLErrorDomain Code=-1012 The operation couldn’t be completed

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!