Welcome to our community!

OnPrem Signing Certificate

Avatar
Andrew Aldridge
  • updated
  • Open

I'm trying to start a thread for us to discuss the latest bombshell that we have 6 days to provide our own code signing certificates, my previous attempt is "Awaiting Moderation" which may just be because I included a URL in the post?

While it feels very much like a final attempt to kill off the on-prem user base, there's no real benefit discussing that other than venting so I'm looking to see if anyone's research so far as turned up an affordable way of acquiring code signing certificates.

The likes of DigiCert, SSL etc seem to come out at several hundred $/year in the first year, possibly dropping from there once you own a suitable storage method for the certificate.

Azure Trusted Signing looked promising for a while at a few $ a month - but is currently only available to USA and Canada based businesses, so rules out the rest of us.

Does anyone have any other sources?

Thanks
Andrew

Replies 81
Avatar
1
scremote
Quote from Wardrop

The main question I have is, what is the recommended action if a code signing certificate cannot be acquired or implemented by July 7th? Should we update ScreenConnect, or stay on the previous latest version? Can anyone at ScreenConnect confirm that if we upgrade without a cert that everything will still work, except for potentially running into warnings and Windows SmartScreen issues, etc?

I just need to know if we'll be able to install the agent still, AND whether all existing agents will continue to work. If somebody could provide clarity on that then at least we can plan our course of action and prioritise what we need to do.

I don't think ConnectWise could have handled the communication of this any worse to be honest.

I think there were some earlier comments about this that determined that running with unsigned clients (updating) was better than running clients with a revoked certificate (leaving as is).

But yes - I believe this is unclear as well.

It would seem that either case may get flagged by security software after the deadline and block connections/quarantine (besides the warnings you may see if they don't)

But I'm not the expert.

We need alternative options from Connectwise.

Avatar
1
Wardrop
Quote from scremote

I think there were some earlier comments about this that determined that running with unsigned clients (updating) was better than running clients with a revoked certificate (leaving as is).

But yes - I believe this is unclear as well.

It would seem that either case may get flagged by security software after the deadline and block connections/quarantine (besides the warnings you may see if they don't)

But I'm not the expert.

We need alternative options from Connectwise.

It's also my understanding that only the certificate used for signing the installer will be revoked. Am I correct to assume the certificate used to sign the actual executables and DLL's, (e.g. ScreenConnect.ClientService.exe) will be unaffected. Have ScreenConnect indicated what certificate is actually being revoked?

Avatar
0
omnichad

Someone could compare the signing certificate between the executables in the new release and the certificate for the installer in last week's release.  I don't know how myself 

Avatar
4
mal

I Like some of you are in the same boat.  Single person, no staff and a few clients.  I only use SC once or twice a day for short periods with clients or to look at my own internal PCs/Servers.   It's not like I have a team of Techs and 000's of clients.  

I can't justify ~AU$900-$1100  for Azure and Code Signing Certs annually, especially when they mean absolutely nothing.   I am not putting my good name on someone else's code that I can't inspect and review.  

Come on CW, you need to do better than this.  Loyal customer for 15 years, but sadly, looking elsewhere now.  Alternatively come up with  simpler solution.  Even a Sipeed KVM per PC is looking cheaper now..

Avatar
0
Nathan Oldfield
Quote from mal

I Like some of you are in the same boat.  Single person, no staff and a few clients.  I only use SC once or twice a day for short periods with clients or to look at my own internal PCs/Servers.   It's not like I have a team of Techs and 000's of clients.  

I can't justify ~AU$900-$1100  for Azure and Code Signing Certs annually, especially when they mean absolutely nothing.   I am not putting my good name on someone else's code that I can't inspect and review.  

Come on CW, you need to do better than this.  Loyal customer for 15 years, but sadly, looking elsewhere now.  Alternatively come up with  simpler solution.  Even a Sipeed KVM per PC is looking cheaper now..

Fellow Aussie here. You don’t need that super expensive option you just need azure key vault premium tier.  

Based on what you describe your usage as I would suggest taking a look at Action1. Awesome patching system with vuln reporting and remote control.  Not the same functionality as SC but it works.  

Happy to show it to you if you like. 

Avatar
1
mal
Quote from Nathan Oldfield

Fellow Aussie here. You don’t need that super expensive option you just need azure key vault premium tier.  

Based on what you describe your usage as I would suggest taking a look at Action1. Awesome patching system with vuln reporting and remote control.  Not the same functionality as SC but it works.  

Happy to show it to you if you like. 

Its not just Azure Vault Premium, its getting a CodeSigning Cert at US$400+/yr

Just evaluating SplashTop at the moment,  more troublesome, but a lot cheaper.   I'll take a look at Action1, not heard of that.  

Avatar
0
Nathan Oldfield
Quote from mal

Its not just Azure Vault Premium, its getting a CodeSigning Cert at US$400+/yr

Just evaluating SplashTop at the moment,  more troublesome, but a lot cheaper.   I'll take a look at Action1, not heard of that.  

Action1 is free for up to 200 endpoints. So it’s cost effective :-)

Avatar
1
mal
Quote from Nathan Oldfield

Action1 is free for up to 200 endpoints. So it’s cost effective :-)

Oh wow, I'll take a look for sure then...

Avatar
0
rob follett
Quote from mal

I Like some of you are in the same boat.  Single person, no staff and a few clients.  I only use SC once or twice a day for short periods with clients or to look at my own internal PCs/Servers.   It's not like I have a team of Techs and 000's of clients.  

I can't justify ~AU$900-$1100  for Azure and Code Signing Certs annually, especially when they mean absolutely nothing.   I am not putting my good name on someone else's code that I can't inspect and review.  

Come on CW, you need to do better than this.  Loyal customer for 15 years, but sadly, looking elsewhere now.  Alternatively come up with  simpler solution.  Even a Sipeed KVM per PC is looking cheaper now..

Similar situation, and agree with all the above - pensioner in UK using SC to monitor local network and run occasional free support sessions for volunteers in local community groups. Currently looking at simple-help.com which at least is a one off payment rather than annual rental model.

Avatar
1
MyThoughts

This is an absolute debacle, similar to everyone else we are scrambling for answers and looking at our options.

We all need an answer from ConnectWise if the ScreenConnect executables and service files were signed with what will be a revoked certificate on July 7th.

My initial digging into this shows the certificates found on the DLL/EXE files all fine and do not show any revocation upcoming.

Can someone from ConnectWise chime in and let us know if it just the certificate that was used to sign old installers that is being revoked?



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar