Welcome to our community!

OnPrem Signing Certificate

Avatar
Andrew Aldridge
  • updated
  • Open

I'm trying to start a thread for us to discuss the latest bombshell that we have 6 days to provide our own code signing certificates, my previous attempt is "Awaiting Moderation" which may just be because I included a URL in the post?

While it feels very much like a final attempt to kill off the on-prem user base, there's no real benefit discussing that other than venting so I'm looking to see if anyone's research so far as turned up an affordable way of acquiring code signing certificates.

The likes of DigiCert, SSL etc seem to come out at several hundred $/year in the first year, possibly dropping from there once you own a suitable storage method for the certificate.

Azure Trusted Signing looked promising for a while at a few $ a month - but is currently only available to USA and Canada based businesses, so rules out the rest of us.

Does anyone have any other sources?

Thanks
Andrew

Replies 81
Avatar
2
Perry Diels

@GMCfourX4: We're in the same boat. Purchased a perpetual license when it was Elsinore and always paid for yearly maintenance, even after it became Connectwise. Regarding current situation we have not been informed as it should; Chat support was very confusing (heard different scenario's) and during the so called ScreenConnect Experience events they ignored the questions they did not want to answer. No response from support via e-mail either (excepted the automated mails that the cases would expire...). 

As you say, we have paid for the ScreenConnect product wit perpetual (lifetime) usage and there's no reason to involve end-customers with license revocation issues.

I've been informed this situation is not legal... but I'm not 'yet' sure how to carry on. For the time being we are testing alternative products from other vendors. Some have even better features onboard, others not, it depends what one exactly needs. But we are not willing to pay for signed certificates ourselves, its expensive and too complicated in our situation. Especially without any help form CW.  

You are right, we should receive a version that works. Especially as we're in paid maintenance until April 2026. 

Avatar
1
Wardrop
Quote from GMCfourX4

Does anyone here own a perpetual license? We purchased from Elsinore Technologies before ConnectWise bought them, and now ConnectWise is giving us the runaround. We had a perfectly functional on-prem server until they shut us down (a year and a half ago, give or take), then then gave us a patched version to run and now they've effectively shut us down again with this certificate revocation. We're just trying to find a version we can install that we are allowed to sign ourselves, but so far they won't even give us that information. Does anyone know what to ask for?

In some ways, that's part of the risk with perpetual software that is out of maintenance/support. At any moment some incompaibility or showstopper could arise that makes your older version unusable. There could be a windows update next week that does the same. I don't think you'd have much of a leg to stand on.

I think the previous patch was supplied as a security issue and I'm assuming was trivial to patch the older versions. The changes related to code signing unlikely to be so trivial. With this latest certificate revocation, I suppose you can keep running it with the revoked certificate, it's just you'll run into issues with Windows and A/V potentially trying to block it.

To clarify, we run a perptual license with active maintenance going to back to the Elsinore days as well. We get really good pricing on ScreenConnect so even with the code signing certificate it's still a bargain.

The process of obtaining and installing a code signing certificate didn't end up being overly arduase, there was just a few things that weren't immediately clear from both ScreenConnect's side and the process of actually procuring a code signing cert and getitng it into Azure Key Vault. The actual process itself, if I had to do it again, would be quite straight forward.

@Perry Diels, I think it'd only be a legal issue if the main or sole intent was to block perpetual license holders out of maintenance from running the software, which clearly isn't the case here. I'm not defending ScreenConnect though, they should have been more proactive in coming up with a better long-term solution (e.g. architectural changes) BEFORE it became an emergency. Code signing like they were, and now expecting customers to get a code signing certificate are both ridiculous. I'm guessing if still owned by Elsinore we perhaps wouldn't have been faced with this situation.

Avatar
1
GMCfourX4
Quote from Wardrop

In some ways, that's part of the risk with perpetual software that is out of maintenance/support. At any moment some incompaibility or showstopper could arise that makes your older version unusable. There could be a windows update next week that does the same. I don't think you'd have much of a leg to stand on.

I think the previous patch was supplied as a security issue and I'm assuming was trivial to patch the older versions. The changes related to code signing unlikely to be so trivial. With this latest certificate revocation, I suppose you can keep running it with the revoked certificate, it's just you'll run into issues with Windows and A/V potentially trying to block it.

To clarify, we run a perptual license with active maintenance going to back to the Elsinore days as well. We get really good pricing on ScreenConnect so even with the code signing certificate it's still a bargain.

The process of obtaining and installing a code signing certificate didn't end up being overly arduase, there was just a few things that weren't immediately clear from both ScreenConnect's side and the process of actually procuring a code signing cert and getitng it into Azure Key Vault. The actual process itself, if I had to do it again, would be quite straight forward.

@Perry Diels, I think it'd only be a legal issue if the main or sole intent was to block perpetual license holders out of maintenance from running the software, which clearly isn't the case here. I'm not defending ScreenConnect though, they should have been more proactive in coming up with a better long-term solution (e.g. architectural changes) BEFORE it became an emergency. Code signing like they were, and now expecting customers to get a code signing certificate are both ridiculous. I'm guessing if still owned by Elsinore we perhaps wouldn't have been faced with this situation.

@Wardrop The situation is NOT one where we applied an operating system upgrade that "broke" another party's software. ConnectWise has proactively "reached out" to cause existing on-prem servers to be unusable (as they did in early 2024) or untrustworthy (as they just did in 2025). This was functional, paid-for software which they "broke", and then try to coerce us into spending hundreds of thousands of dollars on their SAAS platform.

This is as if the manufacturer of your automobile remotely turned your car off and wouldn't give you access to make it run anymore.

You must be a shill for ConnectWise if you think you can justify their actions.

Avatar
0
Wardrop

I can't say I agree. The certificate was revoked by a certificate authority which is a 3rd party. This isn't something ConnectWise have orchestrated in the sense of planned obsolescence. There'd be more effective ways to do that if that was their intent, and it would likely start with them no longer selling a perpetual license which they still do by the way.

It's the result of perhaps poor software architecture decisions and a lack of proactivity. It reflects badly on ConnectWise as it should, but it's more a result of incompetance rather than any kind of conspiracy forcing users to the cloud.

Avatar
1
Perry Diels

@GMCfourX4

I agree with you... the software is running on the same supported OS and nothing has changed, hence there's no reason for the software to stop working. When we have acquired the software what do we know if third party components are necessary or even included under the hood. As you make a comparison with a car, I can add to that that we don't have anything to do with 3rd party components. For example: At this moment there are problems with airbags with certain car brands (no need to mention them here) ... but the customers don't have to contact the concerned airbag manufacturers for a solution, or pay themselves for a good one from another brand. They have a deal (and warranty) with the car brand and it's the latter that has to take responsibility. Same if we sell a self-assembled PC-system to a customer... if it stops working, we're going to find a solution without saying that it is out of our scope, because a 3rd party component stops working!

@Wardrop I feel you have a certain sympathy for ConnectWise. I agree with the part that ConnectWise has (most likely) not deliberately made this choice - I'll leave that open - but it's their responsibility to make sure that their application keeps working as to what customers have paid for. As long as this is running on a supported system (OS ...), that is.


I don't believe in the conspiracy theory either, but you are correct that it's a lack of proactivity and incompetency. They may have had many support cases when this came up, but even now after +3 weeks there's still no response from them; No solutions or any further helpful info... I don' see any excuse here.

Avatar
0
mal
Quote from GMCfourX4

Does anyone here own a perpetual license? We purchased from Elsinore Technologies before ConnectWise bought them, and now ConnectWise is giving us the runaround. We had a perfectly functional on-prem server until they shut us down (a year and a half ago, give or take), then then gave us a patched version to run and now they've effectively shut us down again with this certificate revocation. We're just trying to find a version we can install that we are allowed to sign ourselves, but so far they won't even give us that information. Does anyone know what to ask for?

Hi GMCfourX4, you want a key or the installer?

Avatar
0
GMCfourX4
Quote from mal

Hi GMCfourX4, you want a key or the installer?

We're just trying to get an installer that we can sign, and we're getting the run around from ConnectWise, even though it's a problem as a direct result of actions they took. So frustrating.

Avatar
1
Brent Pirolli

We have our Azure Key Vault working, digicert code signing cert in there, plugin installed for azure certificates in SC... installers are signed and timestamped... but STILL can't push re-install or auto-updates to PC users. EXE downloads fail... MSI work. Remote support sessions with clickonce launcher throw a server application error... this is a hot mess.

Avatar
0
NetServicesGroup
Quote from Brent Pirolli

We have our Azure Key Vault working, digicert code signing cert in there, plugin installed for azure certificates in SC... installers are signed and timestamped... but STILL can't push re-install or auto-updates to PC users. EXE downloads fail... MSI work. Remote support sessions with clickonce launcher throw a server application error... this is a hot mess.

@Brent Pirolli How did you get the e-mail address and time stamp working?

Avatar
0
Brent Pirolli
Quote from NetServicesGroup

@Brent Pirolli How did you get the e-mail address and time stamp working?

I posted 24 hours ago but it's still left "on moderation" apparently as Connectwise runs this forum about as well as their software updates... I had a link in the post to some documentation that apparently flagged the post. Here's the rest of it:

Total newbie here to Code signing... I am not seeing a timestamp on my signatures either. I am signed properly with my Digicert via Azure Key Vault... I tried editing the web.config and just after the line with:
<add key="CodeSigningProviderType" value="AzureKeyVault" />

I added:

<add key="CodeSigningTimestampServerUrl" value="URI_OF_TIMESTAMP_SERVER" />

...and that did nothing.

Then I realized that was a placeholder you used and I have to put in the actual URI of my cert provider's timestamp server:
<add key="CodeSigningTimestampServerUrl" value="http://timestamp.digicert.com" />

That works!

Edit: Email still shows as "Not Available" but there may be some key/value that would populate that if you need.



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar