Share via

azure Trusted Signing short lived certificate

Roberto Grava 45 Reputation points
2025-03-07T08:16:54.8966667+00:00

I have created a Private certificate profile in the Azure trusted signing account method.

But it is valid for 3 days only, after 3 days, the certificate profile will get auto-renewal for the next 3 days. How can I manage to release my exe files to my customer ? Should I build a new executable every 3 days?

Azure Trusted Signing
Azure Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the certificate signing process and helps partner developers more easily build and distribute applications.
190 questions
Accepted answer
  1. Vinodh247 30,916 Reputation points MVP
    2025-03-07T13:44:35.5+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    In Azure Trusted Signing, when using a Private Certificate Profile, the short-lived certificate is designed to auto-renew every 3 days. However, this can introduce challenges when distributing signed executables to customers. Here are some options to manage releases efficiently:

    Options for Managing Releases:

    1. Automate the Signing Process:
      • Instead of rebuilding your executable every 3 days, you can automate the signing process using Azure DevOps pipelines, GitHub Actions, or custom CI/CD scripts.
      • Use Azure SignTool or signtool.exe in a scheduled job to resign your existing executables periodically. This ensures your binaries remain signed with an up to date certificate.
    2. Timestamp Your Signatures (Recommended)
      • Timestamping allows signed executables to remain valid even after the signing certificate expires.
      • If you include a timestamp when signing, the signature remains valid as long as the timestamp authority (TSA) confirms it was signed within the certificate's validity period.
      • Use a RFC 3161-compliant timestamping service in powershell -->SignTool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /a MyExecutable.exe
      • This ensures your customers can continue using the signed executable beyond the 3 day certificate renewal period.
    3. Switch to Public Certificate Profiles (If Feasible)
      • If your distribution model allows, consider using a Public Certificate Profile with Azure Trusted Signing.
      • Public CA certificates typically have a longer validity period and are more widely trusted.
    4. Use an Extended Validation (EV) Code Signing Certificate
      • If your goal is to avoid frequent renewals, consider using an EV Code Signing Certificate from a trusted provider like DigiCert, Sectigo, or GlobalSign.
      • EV-signed executables bypass Microsoft SmartScreen warnings and offer longer validity (typically 1 to3 years).

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.