Welcome to our community!

OnPrem Signing Certificate

Avatar
Andrew Aldridge
  • updated
  • Open

I'm trying to start a thread for us to discuss the latest bombshell that we have 6 days to provide our own code signing certificates, my previous attempt is "Awaiting Moderation" which may just be because I included a URL in the post?

While it feels very much like a final attempt to kill off the on-prem user base, there's no real benefit discussing that other than venting so I'm looking to see if anyone's research so far as turned up an affordable way of acquiring code signing certificates.

The likes of DigiCert, SSL etc seem to come out at several hundred $/year in the first year, possibly dropping from there once you own a suitable storage method for the certificate.

Azure Trusted Signing looked promising for a while at a few $ a month - but is currently only available to USA and Canada based businesses, so rules out the rest of us.

Does anyone have any other sources?

Thanks
Andrew

Replies 70
Avatar
2
Martin Plank

I see also the problem with the private key - I don't know how this should work?

"The new CA/B Forum rules require all Code Signing Certificates be provisioned and shipped on hardware-based tokens."

As far as I know this is not possible with ConnectWise Control?
Maybe they have changed something? We will see ..

Regards,

Martin

Avatar
5
Andrew Aldridge
Quote from Martin Plank

I see also the problem with the private key - I don't know how this should work?

"The new CA/B Forum rules require all Code Signing Certificates be provisioned and shipped on hardware-based tokens."

As far as I know this is not possible with ConnectWise Control?
Maybe they have changed something? We will see ..

Regards,

Martin

Yes others are saying it needs something like a "Yubikey 5C Nano FIPS" but how one passes that through to a VPS running ScreenConnect server is a mystery to me at the moment.

It seems ... unfortunate ... that SC didn't publish their guidance on obtaining and applying certificates at the same time as this announcement.

Why was it not an option to just remove the customisation and continue to sign with their certificate? If they can do it on their hosted solution why isn't it valid for on-prem? Edit: I realise they'd need to bake in our relay URL, but that's not beyond the wit of man surely?

Avatar
6
MTHT

Outside of the extra cost for the Code Signing Certificates and the hurdles to acquire one and use it. I would like to know how they except a organization to sign their code? Are they planning to open source the code base or release it under an some type of NDA so that I can provide my auditors the code that we are now signing?

Avatar
2
Badges
Quote from MTHT

Outside of the extra cost for the Code Signing Certificates and the hurdles to acquire one and use it. I would like to know how they except a organization to sign their code? Are they planning to open source the code base or release it under an some type of NDA so that I can provide my auditors the code that we are now signing?

Image 1350

Avatar
8
Jason Walker

This is downright shameful behavior from ConnectWise. How are WE expected to sign their code? They could ship a virus and we're expected to just blindly sign it like dummies? Why even have "personalized" installers? Just supply a generic agent installer for everyone and feed the settings/personalization as parameters during install.

Avatar
6
Andrew Saucci

I guess it's time to start shopping for another vendor for our remote control software. This is just getting too unreasonable and unstable, and reasonability and stability are two things we need in a remote control product. I don't really care what the problems are-- we just can't have our remote control solution built on sand, and cloud-based remote control products, like password managers, are simply a more inviting target for hackers because of the number of endpoints that can be compromised simultaneously by a successful criminal.

Avatar
8
Andrew Aldridge

For me a key issue now is ... silence. 


An overnight email, a 6 day deadline, town hall not planned until tomorrow, no explanation of how this is supposed to work. 


Every minute that ticks by makes it less likely any of us can achieve this in the deadline provided - aside from the fact the whole thing sounds like an awful disaster that we wouldn't want to do anyway.


Avatar
3
Doug Terborg
Quote from Andrew Aldridge

For me a key issue now is ... silence. 


An overnight email, a 6 day deadline, town hall not planned until tomorrow, no explanation of how this is supposed to work. 


Every minute that ticks by makes it less likely any of us can achieve this in the deadline provided - aside from the fact the whole thing sounds like an awful disaster that we wouldn't want to do anyway.


I can't put this any better than you have; and if I hadn't gotten this information from the ScreenConnect sub-Reddit I wouldn't yet know, even though I'm supposedly on all of the e-mail lists (I got e-mails regarding the BrightGauge issue this morning; no ScreenConnect).

The fact that I get more information from Reddit regarding this than Connectwise themselves and faster is highly concerning.

Avatar
2
Martin Plank

I just read the kb, so without Azure it's not possible to get the certificate?

Avatar
1
Andrew Aldridge
Quote from Martin Plank

I just read the kb, so without Azure it's not possible to get the certificate?

That's my interpretation, it looks like the Certificate Signing addon for ScreenConnect only supports Azure HSM as a source for the certificate. That is for the Vault that the cert is stored in, you can source the actual certificate from any CA, but have to store it in the Azure vault I believe.



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar