Welcome to our community!

OnPrem Signing Certificate

Andrew Aldridge

2 months ago
updated 1 month ago
Open

I'm trying to start a thread for us to discuss the latest bombshell that we have 6 days to provide our own code signing certificates, my previous attempt is "Awaiting Moderation" which may just be because I included a URL in the post?

While it feels very much like a final attempt to kill off the on-prem user base, there's no real benefit discussing that other than venting so I'm looking to see if anyone's research so far as turned up an affordable way of acquiring code signing certificates.

The likes of DigiCert, SSL etc seem to come out at several hundred $/year in the first year, possibly dropping from there once you own a suitable storage method for the certificate.

Azure Trusted Signing looked promising for a while at a few $ a month - but is currently only available to USA and Canada based businesses, so rules out the rest of us.

Does anyone have any other sources?

Thanks
Andrew

Replies 81

Newest first
Newest first Oldest first

omnichad

2 months ago

Even with the information given so far, I literally don't know what to do. I want to spend as little as possible knowing I may be looking for alternatives, so no 3 year certificate.

I'm a sole proprietor with no employees. I cannot tell from anywhere whether I can even get a compatible certificate. Would I be able to use my business name or do I have to use my first and last name as the legal entity?

This is ignoring the complexity of setting up azure, which I don't think has any requirements. No clue why their add-on can't just support a physical hardware key (ignoring the time it takes to get here).

It sounds like it has to be Digicert regardless of reseller and can be either OV or EV but I'm not sure of even that.

Reply Link

Nathan Oldfield

2 months ago

ummm... what email did you get? I have not seen anything about this, running SC on prem. what was the subject? I'll go hunting for it.

Thanks

Reply Link

stephan

2 months ago

Quote from MTHT

For those considering staying with ScreenConnect, you might want to speak with your security auditors as ours has strongly recommending we move to another platform.

They stated "If ScreenConnect can sign using your certificate, what prevents them, or an attacker that is able to compromise their software, from signing anything they want using your certificate."

We have already spoken to other providers and to clients who host their own instances and will not be renewing with ScreenConnect and are establishing a plan to being migrating our instance and client instances to a new platform within the next 30 days.

We know this day would come after the purchase of ScreenConnect but didn't expect it to come in this fashion or with this short of a timeline.

Good luck to all those who remain!

that's actually a good point. Moving EV code certificates to HSM modules has been done in order to reduce the risk of misusage. An online available support platform being able to sign arbitrary files (on the fly) is an awkward security situation.

Again I think session specific settings should not be included in the signed client but supplied by the user after executing the client application (as many other vendors of remote support software are doing as well).

Reply Link

MTHT

2 months ago

Reply Link

Andrew Aldridge

2 months ago

Is anyone able to confirm my belief that this code signing has no effect on the Mac or Linux clients, only Windows?

Reply Link

stephan

2 months ago

> Now that this customization is no longer possible, it creates a real
> operational issue for MSPs like us—especially in environments with
> strict security policies.

maybe you can validate against your own code signing signature. Would be the better approach and more secure then just relying on naming conventions.

Reply Link

romain jamin

2 months ago

Hi everyone,

I’d like to raise another important point related to this change: the removal of the option to customize the name of the generated executable.

Until now, we used this feature to define specific antivirus/EDR exclusions for our clients. It was a simple and effective way to avoid false positives while maintaining control over deployments.

Now that this customization is no longer possible, it creates a real operational issue for MSPs like us—especially in environments with strict security policies.

Has anyone found a workaround or an alternative approach to deal with this new limitation?

Thanks in advance for your feedback.

Reply Link

stephan

2 months ago

Please provide the possibility of signing a static installer which already includes customizations like the relay server url but don't add session specific tokens or cryptographic material. This would give us the chance to sign the client with a certificate residing in an physical HSM module.

I don't mind when all of our customers would download the same client and have to enter the session code after the client gets executed. This would eliminate the nescessity of having the signature process running for each session.

Reply Link

Andrew Aldridge

2 months ago

Yes not being able to customise our own servers background image on the landing page really seems odd, how the heck is that linked in anyway to client customisation security risks, it's not linked to code signing in anyway at all.

Reply Link

luc igert

2 months ago

And the CA say: You have to pass Business Validation in order to get Cloud Code Signing. That may take 2-6 working days. So.. greaat planning and communication Connectwise, once more! And surely beeing able to change the background of the Screenconnect Website was a HUGE security threat... This is what happens when the salesman gets in charge and the technical teams goes in the background: Products become worse and worse, customers get forced to go to the cloud, and eventually customers leave...Someone better think twice if this long term strategy is a good idea for Connectwise. We are long standing customers, but I don't know how much more of this sour soup we can eat.

Reply Link