02-02-2021

Code-Signing- und TLS/SSL-Zertifikate: Alles Wichtige auf einen Blick

Code signing certificates ensure that code cannot be tampered with. They prevent malicious tampering with code to protect end-users.

Similarly, TLS/SSL certificates establish an encrypted connection between a browser or user’s computer and a server or website to protect end-users.

However, they are not the same thing and cannot be used interchangeably.

What is a code signing certificate?

Code signing certificates are used to authenticate the software developer or publisher of the software and to ensure that the software has not been altered or compromised. Software developers can use code signing certificates to digitally sign applications, drivers, executables and software programs as a way for end-users to verify that the code they receive has not been compromised by a third party. Ein solches Zertifikat enthält die Signatur des Herausgebers, den Firmennamen und bei Bedarf auch einen Zeitstempel.

Was ist ein TLS/SSL-Zertifikat?

SSL (secure sockets layer) is the standard technology for securing an internet connection by encrypting data sent between a website and a browser (or between two servers). SSL certificates prevent hackers from seeing or stealing any information transferred, including personal or financial data.

TLS (Transport Layer Security) ist eine aktualisierte Version von SSL, die noch stärkere Sicherheit bietet. Some still refer to security certificates as SSL because it’s a more common term, but when you buy from DigiCert, you get the most trusted, up-to-date TLS certificates.

Can I use a TLS certificate for code signing?

TLS certificates cannot be used for code signing. You must use separate certificates for code signing and for TLS.

Difference between code signing certificates and TLS certificates

Code signing certificates are used to encrypt software, whereas TLS certificates are used to encrypt connections on a website. However, both are used to protect end-users and companies.

If you don’t use these certificates, end-users will get warning messages that could prevent them from using your services.

  • If a user tries to download software that is not signing using a code signing certificate, then it will be flagged and a warning message will pop up.
  • If a user visits a website without a TLS certificate, the browser will display a “not secure” message next to the URL.
Do I need a code signing certificate?

You need a code signing certificate when deploying software and updates to protect your intellectual property, protect end-users, and meet industry and platform requirements.

Code signing certificates allow customers to verify that your code is authentic and has not been tampered with — protecting both you and your customers against fraud, malware and theft. Ihre Kunden erwarten, dass die Installation Ihrer Software nach dem Herunterladen reibungslos und professionell abläuft. Digitally signed programs can avoid warning messages during download and installation for better adoption.

Additionally, the partners, channels and platforms that distribute software expect you to safeguard their customers’ data and will require or expect code signing best practices.

Types of code signing certificates

DigiCert offers both code signing and EV code signing certificates. Code signing certificates offer an encrypted digital signature, while Extended Validation (EV) code signing certificates include all the standard benefits of digitally signed code plus a rigorous vetting process and two-factor authentication security requirement, so your users can have even greater confidence in the integrity of your applications. Plus, for Microsoft Defender SmartScreen Reputation filter, an EV code signing certificate gains you automatic trusted status to reduce warning messages and increase end-user trust.

How to manage code signing certificates

If not managed properly, code signing can put your business at great risk. Incidents like the SolarWinds attack are good examples of the consequences of poorly implemented code signing practices.

Studies show that over half of IT security professionals are worried about cybercriminals stealing or forging certificates to sign code or applications, yet less than a third consistently enforce code signing policies. To make code signing management simpler, DigiCert has innovative solutions for today’s enterprises.

Secure Software Manager in DigiCert ONE™ is a modern way of managing code signing, by enabling automated security across Continuous Integration/Continuous Delivery (CI/CD) pipelines with portable, flexible deployment models and secure key management. Der Secure Software Manager unterstützt Best Practices für das Code Signing, zum Beispiel pro Vorgang einmalige private Schlüssel und Zertifikate sowie On-Demand-Schlüssel und rotierende Schlüssel. Secure Software Manager is compatible with most popular platforms and libraries, like Docker, Microsoft Authenticode, Java, OpenSSL and Android. Mit dem Secure Software Manager lässt sich Code bequem in den Produktentwicklungsprozess integrieren, wobei kryptografische Vorgänge, das Signieren und die Verwaltung auf kontrollierte, nachvollziehbare Weise ablaufen.

UP NEXT

Einrichtung von DMARC für die VMC-Qualifizierung Ihrer Domain

Im Blickpunkt

02-16-2021

Neue Technologien und Regularien bringen Online-Identitätsprüfungen voran

Einheitliche Glaubwürdigkeits- und Risikoeinschätzung für die Identitätsprüfung dank neuen Anforderungen durch ETSI TS 119 461

Verschlüsseln und Entschlüsseln – ein immerwährender Wettbewerb

03-11-2021

Die gesellschaftliche Relevanz von Quantencomputern