My Experience Getting A Code Signing Certificate From Comodo

I have been working in VBA for Microsoft Office 2007 lately. And if you haven’t used it yet, I can tell you there have been significant changes in macro / VBA security versus Office 2003.

Basically, getting a VBA macro / module that hasn’t been digitally signed to run in Word 2007, Excel 2007 or Access 2007 requires the end user to go through a fairly complicated process — if his network’s group policies even allow unsigned macros to run — with many scary warnings against running unsigned code thrown in for good measure.

So I really needed to get a code-signing cert. And after looking around on the Web for places to get one, I settled on Comodo, via Tucows.

Tucows will sell a Comodo certificate for $75 per year, or $195 for three years — which, while not cheap, is less than half the cost some certificate authorities charge for a one-year cert, and a significant discount over Comodo’s published prices.

Update, 29 November 2015: Note that this article is quite old. Pricing has changed.

There’s not a lot on the Web about the experience and process of getting a certificate from Comodo, so I thought I would share some advice.

There’s No Privacy In Code Signing

It’s important to note that you can get a code-signing certificate from Comodo, issued in your name, if you aren’t incorporated or want a code-signing certificate for personal use. Many other sites state that Comodo will not issue code-signing certificates to individuals; that once was the case, but I got my cert as a private individual.

If you apply for a Comodo code-signing certificate as an individual, your name will appear as the publisher, you cannot use an alias or dba name. For example, if your name is Bob Smith, and you do business as The Software Place, your cert will bear the name Bob Smith; it cannot bear the name The Software Place. If you want to use The Software Place as the publisher name, you need to incorporate The Software Place and apply under that corporate name.

That said, if you are a conspiracy theorist, or simply don’t like sharing personal details with others, you won’t like Comodo’s vetting process one bit. This isn’t one of those $30 SSL certificates you can get for your Web site with a smile.

Which serves as a useful segue. A code-signing certificate can’t be used as an SSL certificate; it’s a single-purpose document.

Required: A Domain Name Under Your Name

However, in order to get a code-signing cert from Comodo as an individual, you need a domain name that lists you as the contact. The contact records should show the address that will appear on all your vetting documents — more on those shortly — and a real phone number for which you can produce a bill.

You’ll also need an e-mail address within that domain, to communicate with Comodo.

You will want to have the domain name, and its associated e-mail address, ready before you purchase your cert through Tucows.

You can, in theory, use a domain with private registration. Domains By Proxy, for example, will charge you $15 to create an “authorization letter” that will inform Comodo that you are associated with the domain name.

I didn’t go that route, because I have some experience in registrar issues and vetting processes, and know that the key to swift going is to remove as many potential obstacles as possible; an authorization letter is just begging for trouble.

I chose, instead, to cancel my private registration for my domain; create a special e-mail address for Comodo’s correspondence; temporarily correct my contact info, and change my contact records to alternate addresses / delete the e-mail address after I received my certificate.

The Documents You’ll Need

Before you attempt to get a code-signing certificate as an individual, you need to round up some documents. These documents must all bear the same address, and that address must be the same as the address on your domain. This is critical.

The first document you need is identification: either a driver’s license or a passport. You will be asked, via an e-mail from Comodo, for a copy of one shortly after you apply (in my case, about 20 minutes after purchase). You can e-mail a scan of your license to Comodo, or send it via fax.

Note that when Comodo first contacts you for this document, they do so from an unmonitored address; you’ll need to direct your reply to a different e-mail address. This is all described in the message they send to you.

Comodo did not indicate if a state ID card would suffice as identification, and since I have a driver’s license, I used that, so I’m unsure if a state ID card is sufficient.

After Comodo gets the copy of your ID, they will later (in my case, the next day) ask, again by e-mail, for three more documents:

  • A utility bill, such as a water / gas / electric / tax bill, which bears your name and address. I sent an income tax statement. More on that momentarily.
  • A bank statement or check that bears the name and address that will appear on your certificate. I sent a voided check.
  • A telephone bill that shows your name and phone number. The phone number needs to be the same as the number on your domain name’s contact record. I sent a Vonage invoice.
I use Vonage as a “junk” phone number that I hand out to people I don’t know well, companies / stores who ask for it, and others who I’d just as soon have leave a message. It’s among the best $20 a month I spend.

I love talking to people I know well on the phone, but I hate speaking to strangers on the phone, and it shows.

My feeling: It’s less rude to make strangers leave a message, and get back to them when I am prepared, than it is to put either of us through my terse on-demand stranger chat, which often comes off as disinterest or annoyance but is actually my having little or nothing to say.

Update, 29 November 2015: I now use MagicJack as my throwaway number. It costs less than $40 per year. I would not recommend it for everyday use: sometimes the phone doesn’t ring when there’s a call; calls are often dropped; quality can be spotty; and it’s a real bandwidth hog. But for taking voicemail messages or a rare call, it works fine.

It took about a day for Comodo to respond to these items; I believe that’s because I sent the income tax notice, rather than a property tax bill, which is what they really meant by “tax bill.” Or, it might be that I was applying for the code-signing cert under the name “Doug Vanderweide,” but some of the documents I supplied use my full name.

Again, the fewer bumps you place in this road, the smoother the ride is going to be.

On Day 3, Comodo sent me an e-mail indicating they would call me. I received that phone call on Day 4, from a woman who asked for me, identified herself and said she would be issuing the certificate within 15 minutes, which she did.

Important Technical Notes

Which brings me to some important technical notes, namely the inevitable “big mistake” that all such ventures must, by their nature, cause me to make.

I would strongly recommend that before you purchase your certificate through Tucows, you visit Comodo’s support site and register for an account, using the e-mail address you will supply to them for your cert.

You can’t send e-mail to Comodo unless you have a support account — even if you are replying to their message — and you can use the support Web site to communicate with Comodo, including the ability to upload your documents through their Web site. (I sent my license to them via e-mail and the remaining documents, I uploaded through the support site.)

Also, you really, really, really want to use Internet Explorer when you purchase your cert and fill out Comodo’s form. Authenticode — Microsoft’s name for its code-signing tools — expects to find your code-signing cert stored among your IE security certificates.

I made the mistake of using Firefox, and I’ll explain how to recover from that shortly.

One more really important note: If you intend to create drivers for Vista 64-bit, or create other code that works directly with the kernel, you can’t use a Comodo cert; they aren’t authorized to sell kernel certs. You can find a list of providers who are here.

Purchasing The Certificate

You’ve got your domain name, e-mail address, phone number, phone bill and other identifying documents together; you’ve ensured that they all bear the same address and phone number; you’ve created user accounts at Tucows and Comodo Support.

Now, fire up IE, log in at Tucows, click the Code Signing Certificates link, select the term you want under the Comodo side, and click Next.

You’ll be directed to a payment page. Once your transaction is approved, you’ll be taken to the form that provides Comodo with your registration information. You shouldn’t have to worry about any of the settings there; just provide the minimum information requested, but make sure the information you supply matches your documentation.

Once you’ve completed the form, which is two pages, you’ll get a message from Tucows telling you to await first contact from Comodo — which, again, will be an e-mail requesting your ID.

Installing Your Certificate: Browsers Matter

When you’ve been approved, you’ll receive an e-mail containing a link and retrieval code to get your cert. You must use the same computer used to request the certificate, in order to retrieve it, and you should use the same Web browser.

For example, if you filled out the order form in Interent Explorer and try to retrieve the certificate with Firefox, you may not be able to install the certificate at all. (At least, that’s what Comodo claims; I did not face this issue because I used Firefox for the whole process.)

You simply provide your retrieval key in the form at the link — if the code isn’t filled in for you — and a couple of dialog-box clicks later, you should see the certificate listed under the Personal tab of Start –> Control Panel –> Internet Options –> Content –> Certificates.

You want to back this key up immediately. Tech Pro explains how to do so here.

If you’re a dummy like me, and you use Firefox for the ordering process, your certificate will not be installed in the same store used by Internet Explorer; it will go into Firefox’s certificate store.

You should then use the key export feature in Firefox to not only back up your certificate, but to allow you to import the certificate to IE’s store. When using the Firefox export, it will send the file out as a .p12 file; that’s OK, because IE can import that format just fine.

VBA Signing: You Need To Add Registry Keys

One of the problems with code signing is that once your certificate expires, so does the signature you placed on your code. Buy a one-year cert today and sign a program; 366 days later, your cert expires and your code throws the same sort of scary messages about expired certificates you sometimes see on the Web.

That is, unless you timestamp your signatures. A timestamp allows Comodo to “co-sign” your code, so even though your certificate has expired, Comodo continues to testify to your program’s legitimacy.

Timestamping is handled easily by Visual Studio’s built-in code-signing tools. But timestamping is not built in to Microsoft Office 2007; if you want your macros and modules to work after your certificate expires, you have to manually configure your registry to enable VBA timestamping.

While Comodo makes no mention of how to do this, VerisignCACert does. You just need to change the timestamping server value from the one at Verisign to http://timestamp.comodoca.com/authenticode.

Instructions on how to sign your Office 2007 VBA code can be found at GlobalSign, another certificate authority.

10 Comments

  1. Just wanted to say thanks for doing all the leg-work here so people like myself didn’t have to, it made the whole process of getting a digital certificate from Comodo via Tucows much easier than it otherwise would have been!

  2. Thanks for your information.It has been so helpful.

    I have a similar problem. I have also contacted Comodo on this. I used both Excel4.macro language and VBA to automate a small program that i developed for a client in Excel 2007.

    Please, can Comodo code signing certificate auto-enable/stop a pop-up security alerts that always comes up to enable macros in excel 2007?

    My problem is that i dont know whether code signing certificate can digitally sign Excel4. macro language and VBA at once.

    MY ISSUES
    I developed a small package for a client with Microsoft Excel 2007 to handle their stock details. I used both Microsoft Visual Basic for Application (VBA)and Microsoft Excel 4.0 macros to automate its processes.

    My client is tired of seeing “Security Warning -some active contents have been disable” at any time the file is launched with Ms excel 2007.

    1. I need to eliminate this Security Warning that keeps poping-up everytime
    2. I want the excel program to auto-enable macros

    I will appreciate your quick reply on this issue.

    Thank you,

    Abdul-Waliu Balogun
    TECHNOLOGY EMPIRE NIGERIA

  3. @Abdul-Waliu: My expectation would be that Authenticode, Microsoft’s code-signing system for Office VBA, would also cover XLM4. That Office 2000 fully supports both XLM4 and Authenticode suggests as much. But I cannot be sure, as I haven’t written an XLM4 macro in probably 10 years.

    Microsoft advised back in 2006 that XLM4 could be removed in future versions of Excel. As you are now developing your solution in Excel 2007, it makes sense to follow Microsoft’s advice and use only VBA, which can accomplish all the tasks XLM4 can address. I know that may be time-consuming and require reprogramming solutions you have long been using, but I would not bank on XLM4 being supported for too much longer.

    While on the topic of the security warning dialogs, I should also note: A code-signing certificate doesn’t prevent security warning dialog boxes from appearing, in and of itself. The code-signing cert only identifies, in those dialogs, that the code originates from you, and provides the option for the user to implicitly trust your signed code. The user will continue to get the security warning from your document until he checks the box to always trust software from you. If the user does that, the security warnings will disappear — unless your code is later modified, or your certificate expires and you didn’t timestamp your signature.

  4. Doug–

    Thank you so much for this posting. I saved a ton of money by buying my certificate through tucows, and it was really helpful having a walk-through guide on the process.

    –eric

  5. Wait until you need a VeriSign Class 3 code-signing certificate, where you need a notarized copy of your passport and a legalized signature (i.e. you must go in person to a notary office, and handwrite and sign the documents before his eyes)…

  6. I am so disappointed. I guess my 3 years of writing software, and dream of creating a company are over, cause I am not succumbing to this complete invasion of privacy. It’s the NWO yet again, working as government lap dogs and collectors of information from the new slaves.

  7. Thanks for the article. I’m about to buy the authcode cert from tucows and came across your article when searching for help in proceeding with the purchase. Bookmarked the same!

Leave a Reply

  • Check out the Commenting Guidelines before commenting, please!
  • Want to share code? Please put it into a GitHub Gist, CodePen or pastebin and link to that in your comment.
  • Just have a line or two of markup? Wrap them in an appropriate SyntaxHighlighter Evolved shortcode for your programming language, please!