Menu
I recently acquired a code signing certificate for my employer, but I am not the InstallShield developer who will sign the binaries before distribution. I know I can export the certificate along with its private key, but where do I store it so the InstallShield developer can install it on his machine? Should I remove it from my machine once I give it to the person doing the signing? Where do I store the master copy? Obviously, source control is not the best place, unless I lock down that directory in SVN.
955
If you have not yet installed your certificate, then the most likely location of your private key is on the computer or server where you generated the key pair and CSR. When you generated the key pair, you saved two files: one that contains the public key and one that contains the private key.
Note: At no point in the SSL process does The SSL Store or the Certificate Authority have your private key. It should be saved safely on the server you generated it on. Do not send your private key to anyone, as that can compromise the security of your certificate.
Remember: a private key in conjunction with released signed binaries is your company's identity. Policies for handling such keys can't be strict enough.
Enforce that YOU are the only persion in your company who will be capable (and responsible) of signing executables.
If this is not an option then let all PKI-involved employees sign an explicit non-disclosure agreement with a high fine - a much higher sense of responsibility should be the result.
Store the master copy redundant on at least 3 drives at different geographical locations where you have exclusive access to. Also think about encrypting the copies with strong encryption algorithms like AES-256 (in a 7z file for example).
158
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
