Inclusion of CodeSign Certificate Verification and Revocation URLs

What are CodeSign Certificates?

CodeSign certificates are used for all our binary files. To verify the CodeSign certificates are correct and up to date, the machine running the binaries (e.g. dll or exe files) requires access to specific URLs and domains.


Safe listing requirements

The Sectigo Certificate Authority further advise that exact names of CRLs and certificates can change. Due to this we advise to include the following domains to the Inclusion List:

http://crl.sectigo.com/*
http://crt.sectigo.com/*
http://ocsp.sectigo.com/*

 

If SSL Certificate Revocation List checking is enabled in your organization, SnapComms Content Delivery Network (CDN) uses the following URLs and needs to be safelisted:

*digicert.com

crl*.digicert.com

ocsp.digicert.com

cacerts*.digicert.com


Testing access to the CodeSign Certificate Authority URL's

To check whether CodeSign Certificate Authority is working please follow these instructions:

1. Go to a signed dll or exe, right click and select properties.

2. Go to the Digital Signatures tab, select the SnapComms certificate and click details.

3. In the details click View Certificate

DIGI_SIG.JPG

4. ​​​​In the certificate go to details and click Copy to File

CERT.JPG

5. Follow the wizard to export as DER certificate file, e.g. snap.cer

265282.png

6. Open a command line and CD to the folder where snap.cer is located

7. Use "certutil -URL snap.cer" to bring up the certutil GUI

OCSP.JPG

8. On the right hand side  you will see a "Retrieve" box

9. Use the three radio buttons to retrieve all the three different items: Certs, CRLS and OCSP. All of these should work instantly and succeed (verified).

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.