代码签名证书过期时会发生什么? [英] What happens when a code signing certificate expires?
问题描述
我正在考虑从 VeriSign 或 Thawte 购买代码签名证书来签署 XBAP.我的问题是:该证书到期时会发生什么?299 美元和 599 美元对于 1 年/2 年证书来说是相当高的价格,如果我必须在证书到期时向我的客户交付新签名的版本,那么我只需处理创建自己的证书的麻烦现在.
I am considering purchasing a code signing certificate from VeriSign or Thawte to sign an XBAP with. My question is this: What happens when that certificate expires? $299 and $599 are pretty hefty prices for 1-year/2-year cerificates, and if I have to deliver a newly signed build to my customers whenever my certificate expires, then I'll just deal with the hassle of creating my own certificate for now.
我不喜欢创建自己的证书的地方在于难以将其分发到将使用我的 XBAP 的所有客户端计算机.我的应用程序只会在 LAN 上使用,所以我想我总是可以使用 Windows Installer 来安装我自制的证书(尽管我不确定如何做到这一点 - 任何人都有任何想法吗?).
What I don't like about creating my own certificate is the difficulty in distributing it to all of the client machines that will be using my XBAP. My application will only ever be used on a LAN, so I suppose I could always use Windows Installer to install my home brewed certificate (although I'm unsure on how to do this - anyone have any ideas?).
如果我交付的是部分信任的应用程序,这真的不是问题 - 但我的应用程序需要 Web 权限,因为它将与 WCF 服务通信,所以它处于部分信任和完全信任之间的灰色区域,如果没有证书,当我尝试加载我的 XBAP 时,我会收到有趣的 ole Trust Not Granted 消息.
This wouldn't really be a problem if I was delivering a partial trust application - but my application needs Web permissions, since it will be talking to WCF services, so it is in that grey area between partial trust and full trust, and without a certificate, I get that fun ole Trust Not Granted message when I try to load my XBAP.
有什么想法吗?
推荐答案
如果您打算在封闭 (LAN) 环境中使用它,您应该做的是设置自己的 CA.Windows Server 版本包括易于使用的证书颁发机构,但更简单的是通过 openssl,它由几个脚本组成.您可以在 Windows 上的 Cygwin 或 本机.这个 demoCA 由几个 perl/bash 脚本组成,这些脚本调用 openssl 命令来生成请求、签署证书/crls 等.
What you should do if you plan to use it in a closed (LAN) environment is to setup your own CA. Windows Server versions include easy to use Certification Authority but even easier is to setup a minimal CA by means of the demoCA provided by openssl, which consists of several scripts. You can run openssl demoCA in Cygwin on Windows or natively. This demoCA consists of several perl/bash scripts that call openssl commands to generate requests, sign certificates/crls, etc.
当您拥有自己的 CA 时,您需要安装的是您的 CA 根证书,这样更新用户证书就不会再麻烦了,因为 CA 证书将保持不变.通常,CA 证书的有效期应为 5-10 年,但您可以随意配置(请记住,它是您自己的 CA).
When you have your own CA what you need to install is your CA root certificate so there will be no more hassles to update user certificates since the CA certificate will stay the same. Typically a CA certificate should last for 5-10 years, but you can configure as much as you want (remember that it is your own CA).
CA 证书将安装在每台客户端计算机上.如果您的应用程序信任 Windows 系统安全性,则应将其安装在 IExplorer 证书颁发机构密钥库中.如果您使用 Java 应用程序,那么您应该在您使用的 Java 密钥库中分发 CA 证书.
The CA certificate will be installed on every client machine. If your application trusts Windows System security it should be installed on IExplorer Certificate Authorities keystore. If you use a Java Application then you should distribute the CA certificate inside the Java keystore you use.
这篇关于代码签名证书过期时会发生什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
