GlobalSign Code Signing Certificate Installation

Woo hoo! I won a free Code Signing Certificate for Adobe Air. I thought this would be a perfect opportunity to check out the process of purchasing, installing, and using a CSR for the Nutrition in Medicine project. This will allow us to work out the kinks in the process of creating Air programs for our project. This turned into a two step process

Step 1: Certificate Request Process

The first step in the process was to “buy- using the nice promo code” a 1 year code signing certificate following the directions in the email. So I filled out the forms at the site, following the directions in the email.

My first mistake was to try to include the NIH funded Nutrition in Medicine project name as part of the  validation process. We got a nice email from a GlobalSign Client Services Executive explaining the process of validating an organization.

The only entity that we could prove existed in our business/educational hierarchy was the University of North Carolina at Chapel Hill. That misstep caused an initial delay.

I won’t go into the exact humma humma but you need to have someone willing to put up their first born child as collateral or get a lawyer or an accountant to vouch for an entities existence. We decided to go up the educational institution food chain hierarchy to get our existence validated.

Alternatively if you can send a letter from an accountant or lawyer stating that the telephone number for University of North Carolina at Chapel Hill(NIM- Nutrition in Medicine) / University of North Carolina at Chapel Hill is xxxxxx.

We would need to verify that the accountant or lawyer is licensed to practice in the USA.

We sent the request to our department, which forwarded it to the Assistance Vice Chancellor and Controller, which forwarded it to the Office of the University Council.

Once the proof that we existed was received, I had to resubmit the request to GlobalSign again and then respond to a GlobalSign email(which wanted to confirm that indeed the email I submitted in the form was to me and that I do exist). Then I was finally sent the certificate to my confirmed email address. Now the fun began.

Step 2: Installation Process

The request was approved(We do exist and we are legitimate as well:) and I received an email containing the pem file and some links I needed to select to complete the installation process.

The first link in the process installs the signed certificate into the browser and pc from whence you made the code signing certification request.

In my case this was the Firefox 3 browser on my pc at work. I selected the link and was told I was at Step 10 which was the final step in the process. I needed to press the install button and away I would go. I selected the install button, submitted a secret password to use in Firefox to safeguard the certificate and voila I got the following two error messages:

“Unable to build a valid certificate chain for the signer.”

“This certificate can’t be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved.”

Arrgh. Being an engineer, I thought I would check out if the error messages were really valid. I proceeded to ignore the errors and check to see if the digital id was installed in Firefox.

Tools>Options>Advanced Icon>Encryption Tab> View Certificates button

Which caused a “Your Certificates Dialog” to appear. Loo and behold, there was the certificate. Cool. I selected the backup button and saved the digital certificate in a file named csr.p12 file format to use in air.

Went to my Eclipse/Flex ide and brought up a simple air application.

Selected Export Release Build and loaded in the digital certificate with the secret password from Firefox. Flex proceeded to package the code, I selected the finish button and got the error message about unable to validate the certificate chain and the packaging of the program stopped.

Okay, time to go to the GlobalSign website and read some directions and do a little googling.

First, I went to the Code Signing Certificate page at GlobalSign, scrolled down the page and found the adobe article on “Digitally signing an Air File” and a quick start guide which was not much help.(I had already followed that process).

I also was able to locate a white paper from GlobalSign. Section 4, item 6 of this page hinted that I needed to use intermediate CA(certificate authorities). My next stop was the GlobalSign Support Centre: Code Signing Certificates web page.

On the right hand side was an ObjectSign Roots section. I selected the ObjectSign link. Getting warmer, links on page will let me Install the ObjectSign Root Certificates which were the intermediate chain CA’s.

Since I am running Windows XP, I selected the Binary DER links. The first and second link gave me some choices which I do not recollect, but the only checkbox option that seemed appropriate for code signing was the third/last one(The others appeared to pertain to server based certification).

Installed the three intermediate CA’s. Went back to my email, selected my installation link. Returned to the install button and pressed it. Woo hoo. First popup message indicated a successfull installation. The second popup message was the same as last time. aaarrrgh.

“This certificate can’t be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved.”

Being an engineer I went back and tried to use it again anyway.Tried my air program generation again. NO Success, same errors.

Time to ask for help. Went to the following GlobalSign contact page and entered my SOB story into the support form request about how I was a newbie and did not know what I was doing(which was very true). They called me within the hour and got me up and running.:)

The first thing they did was have me install the digital id in the Windows keystore which I had not done. So I brought up my Internet Explorer 7, selected

Tools> Internet Options > Content Tab > Certificates Button(Middle of dialog) > Personal Tab > Import button.

The welcome to the Certificate Import Wizard dialog was revealed. Browsed and loaded my csr.p12 file, entered my password, selected both checkboxes:

Enable strong private key protection. You will be prompted every time the private key is used by an application if your enable this option.

Mark this key as exportable. This will allow you to back up or transport your keys at a later time.

Finished the export wizard. Tried to run adobe air again and still got an error message.

The agent then asked me whether I had regenerated the digital certificate after I loaded in the new intermediate CA’s in the firefox browser. Hmm, I was not sure that I did it before or after the installation of the intermediate chain CA’s.

So I went back to Firefox, regenerated my csr.p12 file by selecting the backup button and entering my password. Selected the Export Release Build for my air program and EUREKA! Success. Needless to say All is well in Muddville today.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: