1

I have created a self-signed certificate to sign my program. I noticed that importing the certificate using:

certutil.exe -addstore root "Tmp.crt"

Makes UAC warnings "more friendly" (showing the publisher name, without paying hundreds to Certificate Authorities.

My program is dedicated for a small group of people. Is it safe to create a prompt asking users if they want to install the certificate to the "Trusted Root Certification Authorities" store? Assuming they already trust the program enough to allow starting with administrative permissions.

Mona
  • 337
  • 3
  • 15

2 Answers2

1

If they import and trust your self-signed certificate, they are explicitly asked to trust you.

If you use a code signing certificate from an "official" (= paid-for) certificate authority, they are not asked to trust you explicitly, but they trust your certificate implicitly through that certificate authority. They have never been asked if they trust that authority, because it's trusted by the operating system for them.

As a consequence, I can't see how asking to trust your self-signed certificate would be more unsafe than relying on someone else's decision to trust a certificate authority. The only downside is that the user might be disconcerted by being asked something they are not usually asked.

You can increase security by making your program check the certificate it's been signed with to make sure it's indeed the one you self-signed.

not2savvy
  • 2,902
  • 3
  • 22
  • 37
  • Thank you for the reply! I would use the checksum of the certificate file, or perhaps even reading it with certutil to check if fingerprints and other details match. I keep the private key and the password on an external USB stick that is not connected to the Internet, so a risk of a leak is very low. If I understood correctly, importing a self-signed certificate is not as dangerous as if it was a CA certificate (capable of signing other certs)? There's no risk that someone who hijacked this certificate would sign the "google.com" domain, etc.? It would only allow the name I signed, correct? – Mona Mar 02 '21 at 21:23
  • 1
    It shouldn’t be possible to „hijack” the certificate if the private key is kept safely. But yes, you can limit the certificate so it can’t be used for other purposes. – not2savvy Mar 02 '21 at 22:16
0

It's not wrong but it could be unsafe if they are not getting your application from a trusted source. You could instead request a free certificate from the Let's Encrypt project. Here is a link to their getting started page:

Let's Encrypt Getting Started

Sebastian Wyngaard
  • 11
  • 1
  • 4
  • Thanks for the answer. I use Let’s Encrypt, but it's only for SSL, and my post is about the Code Signing certificate. – Mona Mar 01 '21 at 21:07