Share via

azure Trusted Signing short lived certificate

Roberto Grava 45 Reputation points
2025-03-07T08:16:54.8966667+00:00

I have created a Private certificate profile in the Azure trusted signing account method.

But it is valid for 3 days only, after 3 days, the certificate profile will get auto-renewal for the next 3 days. How can I manage to release my exe files to my customer ? Should I build a new executable every 3 days?

Artifact Signing
Artifact Signing

A fully managed end-to-end service for digitally signing code, documents, and applications. (formerly Trusted Signing)

Answer accepted by question author
  1. Vinodh247 42,051 Reputation points MVP Volunteer Moderator
    2025-03-07T13:44:35.5+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    In Azure Trusted Signing, when using a Private Certificate Profile, the short-lived certificate is designed to auto-renew every 3 days. However, this can introduce challenges when distributing signed executables to customers. Here are some options to manage releases efficiently:

    Options for Managing Releases:

    1. Automate the Signing Process:
      • Instead of rebuilding your executable every 3 days, you can automate the signing process using Azure DevOps pipelines, GitHub Actions, or custom CI/CD scripts.
      • Use Azure SignTool or signtool.exe in a scheduled job to resign your existing executables periodically. This ensures your binaries remain signed with an up to date certificate.
    2. Timestamp Your Signatures (Recommended)
      • Timestamping allows signed executables to remain valid even after the signing certificate expires.
      • If you include a timestamp when signing, the signature remains valid as long as the timestamp authority (TSA) confirms it was signed within the certificate's validity period.
      • Use a RFC 3161-compliant timestamping service in powershell -->SignTool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /a MyExecutable.exe
      • This ensures your customers can continue using the signed executable beyond the 3 day certificate renewal period.
    3. Switch to Public Certificate Profiles (If Feasible)
      • If your distribution model allows, consider using a Public Certificate Profile with Azure Trusted Signing.
      • Public CA certificates typically have a longer validity period and are more widely trusted.
    4. Use an Extended Validation (EV) Code Signing Certificate
      • If your goal is to avoid frequent renewals, consider using an EV Code Signing Certificate from a trusted provider like DigiCert, Sectigo, or GlobalSign.
      • EV-signed executables bypass Microsoft SmartScreen warnings and offer longer validity (typically 1 to3 years).

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.