security - Signing Windows Executables with self-hosted certificate -
the question has been asked , answered how 1 can 'sign' windows executable; however, answer requires ongoing expense of hosted certificate.
my company has vps use www, email , version control, seems me host our own certificate, albeit rather less trustworthiness, still sufficient our clients.
we host pem certificate consultant sysadmin set our email (imap4) hosting; can use , procedure 'signing' executable , hosting certificate ? presumably somewhere url of hosted certificate embedded in attached ('signed') executable.
here's a question on serverfault provides details on can pem (there's quite bit more think prudent copy/paste).
as far self-signing, yes can do, although not trivially. in additional work setting there ongoing maintenance can real pain, if don't know you're doing well. problem two-fold:
- your clients have install root ca cert of vps or have install them. invasive , require administrator. additionally, if root ca ever changes (which should @ least expires) have update machines again.
- you assume substantial liability security of system. if vps compromised somehow, whether exploited/penetrated/spoofed same, attacker can impersonate executable client. can imagine, can have catastrophic consequences.
self-signing not advised production environments, outside customers. there know , many ways screw up.
if cost issue, should check out comodo's code signing certificate offerings. best priced , quite reliable. they hacked copule years ago, there lot security field learned incident, , imo wasn't comodo's fault.
Comments
Post a Comment