Code Signing Certificate Options

30
votes

I've been assigned the task of buying a digital certificate for my company to sign our code. We develop applications in the Microsoft space - mostly WPF or Web Based.

I've investigated options and found Comodo to be well priced and responsive, and we're ready to go ahead and purchase a cert through them.. however in the signup form there are various private key options that I'm not too sure about, namely:

  1. CSP

    • Microsoft Base Cryptographic Provider
    • Microsoft Base Smart Card Crypto Provider
    • Microsoft Enhanced Cryptographic Provider v1.0
    • Microsoft Software Cryptographic Provider

  2. Key Size

    • 1024
    • 2048
    • 4096

  3. Exportable?

    • Yes / No

  4. User Protected?

    • Yes / No

Just wondering what all of this means, and what the best options are for our requirements? Any advice/ suggestions would be appreciated

thanks heaps Greg

3
cryptographycertificatecode-signing

3 Answers

27
votes

For "most purposes" the following options are recommended:

  • Microsoft Base Cryptographic Provider
  • Key Size: 2048
  • Exportable: Yes
  • User Protected: Yes

To be honest, I'm not familiar with the different CSPs, but the Base does the job every time for me.

  • Key Size makes the keys harder to crack, but more than 2048-bits for a short to medium term key (3-5 years) is ample (IMHO).

  • Exportable lets you export the private key/certificate pair - essential for backing it up!

  • User Protected means that you must enter a password every time that you want to use the cert - highly recommended to prevent accidental or malicious signing of code with your certificate.

10
votes

Historically, the "base" cryptographic provider had an artificial limitation on key lengths, and the "enhanced" provider had the limit removed. This allowed Microsoft to comply with US export laws, removing the enhanced provider in certain versions.

Apparently, with the changes to export law, Microsoft has removed the limitation from the base provider, allowing longer key lengths as well (but has kept the name for compatibility)

2
votes

Regarding "Microsoft Software Cryptographic Provider" - I think that should be "strong" (not "software").

In practice where I work, base gives a 512-bit key length (which is no longer supported or working on MS servers after a recent patch - read on KB2661254). You want at least 1024, but 2048 is a better choice.

Beware: The exportable private key is desired for backing up and/or bringing to another server (and required for signing code/scripts I think), but introduces the possiblility of it falling into the wrong hands, whereupon undesirable scripts could be signed and ran on your servers once you trust that cert! Take great care in where/how you store it and use a strong passphrase!

Double-check: You most likely need the Trusted Root CA Cert (the CA that issued the code signing cert) installed as well as your cert itself in "Trusted Publishers" to get signed PowerShell scripts to run.