代码签名证书到期时会发生什么? [英] What happens when a code signing certificate expires?
问题描述
我正在考虑从VeriSign或Thawte购买代码签名证书以与之签署XBAP。我的问题是这样:当证书过期时会发生什么? $ 299和$ 599是1年/ 2年证书的相当高的价格,如果我必须交付一个新签署的建筑,我的证书过期时,我将只处理创建自己的证书的麻烦现在。
I am considering purchasing a code signing certificate from VeriSign or Thawte to sign an XBAP with. My question is this: What happens when that certificate expires? $299 and $599 are pretty hefty prices for 1-year/2-year cerificates, and if I have to deliver a newly signed build to my customers whenever my certificate expires, then I'll just deal with the hassle of creating my own certificate for now.
我不喜欢创建自己的证书是很难分发到将使用我的XBAP的所有客户端机器。我的应用程序只会在LAN上使用,所以我想我可以总是使用Windows安装程序来安装我自己酿造的证书(虽然我不知道如何这样做 - 任何人都有任何想法。)
What I don't like about creating my own certificate is the difficulty in distributing it to all of the client machines that will be using my XBAP. My application will only ever be used on a LAN, so I suppose I could always use Windows Installer to install my home brewed certificate (although I'm unsure on how to do this - anyone have any ideas?).
如果我交付一个部分信任应用程序,这不会是一个问题 - 但我的应用程序需要Web权限,因为它会与WCF服务交谈,所以它在那个灰色区域在部分信任和完全信任之间,没有证书,当我尝试加载我的XBAP时,我得到了乐趣ole Trust Not Granted消息。
This wouldn't really be a problem if I was delivering a partial trust application - but my application needs Web permissions, since it will be talking to WCF services, so it is in that grey area between partial trust and full trust, and without a certificate, I get that fun ole Trust Not Granted message when I try to load my XBAP.
任何想法? >
Any ideas?
推荐答案
如果计划在封闭(LAN)环境中使用它,应该做什么是设置自己的CA. Windows Server版本包括易于使用的证书颁发机构,但更容易的是通过 openssl ,它由几个脚本组成。您可以在Windows上 Cygwin 或本机。这个demoCA包括几个perl / bash脚本,它们调用openssl命令来生成请求,签署证书/ crls等。
What you should do if you plan to use it in a closed (LAN) environment is to setup your own CA. Windows Server versions include easy to use Certification Authority but even easier is to setup a minimal CA by means of the demoCA provided by openssl, which consists of several scripts. You can run openssl demoCA in Cygwin on Windows or natively. This demoCA consists of several perl/bash scripts that call openssl commands to generate requests, sign certificates/crls, etc.
当你有自己的CA需要安装是您的CA根证书,因此将没有更多的麻烦来更新用户证书,因为CA证书将保持不变。通常,CA证书应该持续5-10年,但您可以根据需要进行配置(记住它是您自己的CA)。
When you have your own CA what you need to install is your CA root certificate so there will be no more hassles to update user certificates since the CA certificate will stay the same. Typically a CA certificate should last for 5-10 years, but you can configure as much as you want (remember that it is your own CA).
CA证书将安装在每台客户端机器上。如果您的应用程序信任Windows系统安全性,则应将其安装在IExplorer证书颁发机构密钥库中。如果使用Java应用程序,那么应该在您使用的Java密钥库中分发CA证书。
The CA certificate will be installed on every client machine. If your application trusts Windows System security it should be installed on IExplorer Certificate Authorities keystore. If you use a Java Application then you should distribute the CA certificate inside the Java keystore you use.
这篇关于代码签名证书到期时会发生什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
