Code Signing Certificates with Expiry Dates and Timestamping

When I set about signing a Java deployment rule set with a code signing certificate, I noticed that my certificate had an expiry date of 1 year from the current date.  My initial thoughts were that I didn’t want all these Java applications to suddenly stop working in a years time because my code signing certificate had expired!  So i began to investigate code signing certificates with expiry dates and timestamping.

Code signing certificates with expiry dates and timestamping

You can purchase code signing certificates from a variety online stores or alternatively create a code signing certificate using Active Directory Certificate Services (ADCS).  Once you have a code signing certificate you can follow our guide to signing un-signed drivers to add a digital signature to your file (whether it be a driver or not).

Why Do Code Signing Certificates Expire

When a code signing certificate expires, you can no longer sign any content with it.  The reason they expire is for security purposes.  If they didn’t ever expire and the certificate fell into the wrong hands, anybody could impersonate your company forever!

Will Signed Content Stop Working When My Certificate Expires?

If you haven’t added a timestamp during the signing process, the signed content will check the certificate expiration date against the current date and fail if the certificate has expired.

However adding a timestamp during the signing process provides verification that the signing took place when the certificate was valid, and your signed content will be valid indefinitely.  Timestamping is a mechanism that ensures your digital signature remains trusted long after your Code Signing certificate has expired.