Digital Certificate - Requesting a Code Signing Certificate

Code signing certificates are available via the UWM Certificate Service. Code signing certificates or software publishing certificates can be used to digitally sign software executables and scripts. The digital signature can help users of the signed software to confirm that the software is genuine by authenticating the source of the software (i.e. who published it) and verifying the integrity of the content (i.e. the code hasn't been modified since signed).

Guidelines for UWM Departments and Areas Requesting and Using Code Signing Certificates

  • Code signing certificates may be issued to departments or similar entities on campus or in some circumstances to employees (staff or faculty) as individuals.
  • Only one certificate will be allowed per individual or entity at any given time.
  • Since code signed through this process will represent the University of Wisconsin - Milwaukee, certificates will only be issued to assist in publishing code that furthers the mission of the University.
  • A valid campus email address must be provided and added to the certificate as the subject alternative name.
  • Certificates for departments or similar entities will list that entity on the certificate as an organization unit.
  • Although details such as email addresses and departmental names will be listed on the certificate, most software used to verify the code signing certificate will only display the Common Name of the cert which will always be the organization, which in our case is "University of Wisconsin - Milwaukee.”
  • Individuals or entities responsible for a code signing certificate should take responsible measures to protect the certificate and associated keys:
  • The certificate and private key must be stored on a secure system that has access controls to limit use to only trusted individuals
  • The private key should be protected by a password that has strong complexity and a minimum of 12 characters.
  • If the security of the CSC is breached in any way the party responsible for the CSC should contact the Help Desk immediately and request the ticket be escalated to the Security and IAM teams.
  • If the individual or entity loses affiliation with the university (e.g. change in employment status for individual, renaming or reorganization of an administrative entity) the certificate should be revoked (and no longer be used).

  • The UWM Certificate Service Registration Authority Officers may revoke a certificate if there is evidence of misuse or concerns regarding the security of its handling. In that event, you will be notified and must immediately stop using the certificate.

How to Request a Code Signing Certificate

You should email your request for a code signing cert to cert-order@uwm.edu with the following  information:

Identifying Information

  • Faculty/staff as individuals: Provide full contact information for person requesting certificate (full name, campus email, campus phone, campus mailing address).
  • Departments or similar entities (not individuals): Provide the official name of department (or similar entity) with full contact information including campus email, campus phone number, and campus mailing address as well as contact information for the person requesting the certificate.
  • Provide a brief statement on plans for using the CSC (i.e. why do you want a certificate).
  • State that you understand and accept the guidelines for code signing certificates as described on this page.

The UWM Certificate Service RAOs will review the request and contact you to discuss. For departmental requests someone from the IAM team may also need to speak with an administrator for that department.

If your request is approved, the email address listed in the certificate will receive an invitation to request a certificate. That email will provide a URL for you to visit to accept the invitation and generate the cryptographic material needed for the certificate request. Your private key will be added to the certificate store for your system (for IE users) or your browser (non-IE users) at this time but you do not yet have a certificate. Note that the invitation email will be sent only to that account, so you must be able to access that account. Please see the notes below on phishing and browser choice.

Comodo will review your request. The process usually takes less than one business day, but please allow for at least two to three business days. Comodo will then sign your certificate and issue your certificate to you via a link in an email. Please note that you must use the same system/browser for accepting the invitation as you do downloading the issued certificate. Please see the notes below on phishing and browser choice.

You now have the only copy of the private key. You should immediately create a password-protected backup of your certificate and keys. Most browsers will create that backup in PCKS#12 format. Store this in a safe place.

Comodo Knowledge Base article: "How do I backup my Digital ID certificate? (Internet Explorer)"

Comodo Knowledge Base article: "How do I backup my certificate with Firefox?"

If at any time you have questions about Code Signing Certificates please contact the Help Desk.

PHISHING SECURITY WARNING

The InCommon certificate service relies on clickable web links in email. Since that is a phishing hazard please copy and paste the URL into a browser rather than click on the email and then review the URL prior to use. Please verify that the URL uses SSL (https not http) with a valid certificate and uses the cert-manager.com domain. If you have any questions about the validity of an email you receive, please contact cert-order@uwm.edu before proceeding.

Choice of Browsers and Certificate Stores

You must use the same system/browser for accepting the invitation as you do downloading the issued certificate. Comodo recommends that you use Windows and Internet Explorer for the process of generating a certificate signing request and downloading an issued certificate. Please note that if you do not use IE the downloaded certificate will be located only in the certificate store for that browser. In any case, you can export the certificate to move it to the appropriate certificate store. Note that the Google Chrome browser is not supported and will not work.