Re-Sign Your Code Before Your Certificate Expires!

Updated: July 17, 1997

All software publishers who have developed controls for the Web should re-sign their code before their current certificate expires (which, for most publishers, will occur in the next couple of months). When you re-sign your code, it is important that you do so using the new timestamp option in the code-signing upgrade to the ActiveX Software Development Kit (SDK). Using the new timestamp option will assure that users continue to see that your signature is valid even after your certificate has expired.

To re-sign your code, you'll need:

Internet Explorer 3.02 with Authenticode 2.0 . (If you installed Internet Explorer 3.02 before June 13, 1997, you can download the Authenticode 2.0 update separately.)
ActiveX SDK for Internet Explorer
Code-signing tools update for Authenticode 2.0, available from the code re-signing tools download page. The download page also includes information on updated scripts and tools to help you update your users to Authenticode 2.0.

Below, we've provided answers to questions you may have about the Authenticode update for users, and about the need to re-sign all your controls before your certificate expires:

Why use the timestamp option?
Why is Microsoft releasing the Authenticode client update?
What actually happens on June 30?
Should you re-sign now, or wait until the expiration date on your certificate draws closer?
Once you re-sign your code, do you need to get a new certificate from Verisign?
Is there a cost associated with using the timestamping service from Verisign?
Is Microsoft working with other vendors to provide timestamping services?
Will the new signatures work with the Platform Preview of Internet Explorer 4.0?
Will third-party tools for signing self-extracting .exe's need to be upgraded?
Why do the certificates expire?

Why use the timestamp option?

When you use the timestamp option to sign your code, the signature is forever recorded as having occurred during the validity period of your certificate. Users will then always see that the signature is valid, even after the validity period of your certificate has expired.

Why is Microsoft releasing the Authenticode client update?

Microsoft is releasing the client update to roll out new Authenticode 2.0 software, which includes significant improvements and renews internal certificates that will soon expire. The improvements include:

Timestamping support, to verify that software was signed during the validity period of a publisher's certificate.
Support for the new code-signing format for publishers.
Renewal of internal certificates that will expire on June 30 on every Internet Explorer 3.x client for Windows® 95 and Windows NT® 4.0.

Microsoft is now encouraging all users to download the upgrade in order to renew Authenticode on their computers and incorporate the new features.

What actually happens on June 30?

If users have downloaded the Authenticode upgrade, here's what they will see after June 30:

If you have re-signed your code, users will see the same messages they do today regarding your code.
If you have not re-signed your code, all is fine with your code until your certificate expires. From that point on, users will see a message that your code is either unsafe to download (if they have security set to High) or that it is out-of-date (if they have security set to Medium).

If users have not downloaded the Authenticode upgrade, here's what they will see after June 30:

Whether or not you re-sign your code, users will get a warning that the control is either unsafe to download (if they have security set to High) or that it is out-of-date (if they have security set to Medium).

Bottom Line: To prevent users from receiving warning notices when they encounter your code, (1) you must re-sign your code before your certificate expires, and (2) users must download the Authenticode client update before June 30. As explained below, we have provided tools for you to help you update your users to Authenticode 2.0. They will then continue to see the proper Authenticode messages for your code.

Should you re-sign now, or wait until the expiration date on your certificate draws closer?

Microsoft recommends that Web publishers re-sign their code soon to avoid heavy demand on timestamp servers in late June and July, when most publishers' certificates expire. Due to proxy delays, it takes the servers approximately 5 seconds to process each signature. Heavy demand near the expiration deadlines could likely result in time-outs, requiring multiple attempts to obtain a valid timestamp. As explained below, there is a hitch to signing early, but Microsoft is providing script and a pointer to our download site to help resolve it.

Here's the hitch: If you re-sign your code well in advance of the June 30 deadline for users, many users won't yet have upgraded their Authenticode, so their browsers won't recognize your new signature.
Here's how Microsoft will help you resolve it: We've provided, on our code re-signing tools download page, tools that will help you update your users to Authenticode 2.0. We are providing two methods, automated and manual, for this purpose.

For the future:

Again, Microsoft strongly recommends that you use the code-signing upgrade's timestamp option, which will prevent you from having to re-sign your code again.

Once you re-sign your code, do you need to get a new certificate from Verisign?

No. You can continue to use your current certificate until it expires.

Is there a cost associated with using the timestamping service from Verisign?

No.

Is Microsoft working with other vendors to provide timestamping services?

Not at this time.

Will the new signatures work with the Platform Preview of Internet Explorer 4.0?

Yes, provided that users have downloaded the version of Authenticode 2.0 that will be posted on June 23. The version available before that date does not work with the Platform Preview of Internet Explorer 4.0. The final release of Internet Explorer 4.0 supports the timestamping service.

Will third-party tools for signing self-extracting .exe's need to be upgraded?

Yes. Microsoft is working with third-party tools vendors to make upgraded tools available as soon as possible.

Why do the certificates expire?

By design, certificates expire in order to prevent the indefinite use of a certificate. By creating this "valid time window" for a certificate, the design of Authenticode limits the potential damage that can arise from a compromised certificate.

Back to the ActiveX SDK home page