Some time ago I have written a post about obtaining a code signing certificate to sign your Revit DLLs and satisfy their requirement for plugins. That article is here. It was written in March of 2017 as Autodesk was introducing that pesky pop up for plugins that were not signed with a code signing certificate.
We all hated these pop ups and wanted to get rid of them. At the time of writing that post I was kind of piggy backing on the suggestion from Harry Mattison over at Boost Your BIM, that mentioned that he got his certificate from a company called K-Software, for 5 years at not so small cost of $365. I have since then been getting my certificates from K-Software via COMODO via SECTIGO. I know, it’s convoluted but they are all intermediaries. I think COMODO is the actual certification authority and K-Software and SECTIGO just sell that thing, and provide validation. Yes, validation. This is where we get to the point of this article. Over the last 5 years, I had to validate myself with SECTIGO a couple of times, as they no longer sell 5-year certificates. New regulations force them to issue code signing certificates for 2/3 years at most. That’s annoying as hell. If anyone had to go through that process, you know my pain. It’s a disaster. It probably shouldn’t be, but SECTIGO is such a shit company that they really managed to turn me away from something that I absolutely need to do my job. Yes, I am no longer getting my certificates from SECTIGO. If 5 years ago I said that I am not endorsing any particular company, then today, I am telling you to stay away from SECTIGO. Their validation process will make you want to throw your computer against the wall.
So what’s the alternative? I tried something called Certum which is a subsidiary of a Polish company called Asseco. I figured I speak Polish, so I can deal with their website and process not being completely translated to English. Be wary, it’s not. A lot of their videos and documents have plenty of Polish in it. Anyways, I got a certificate from them, and it turns out that it was a mistake too. Their validation process was a little better, but the certificate that they issue is locked into their proprietary software called SimplySign and you can only use it on your desktop computer. You don’t get your PFX/private key from them, so you would not be able to use it for example in GitHub as part of the release workflow. I described that process here. That’s a no go. I was getting a little fed up at this point.
What about creating my own certificate? I don’t think it matters all that much whether my Revit plugins are signed with a certificate that was issued by a 3rd party, that validated that my company exist, that I am a real person, etc. That’s all important and fine, but is it necessary for something as simple as code singing of Revit plugins to avoid pop ups? I think it’s time to stop paying these companies to put me through endless validation process, just so I can obtain from them something that I can get on my own in 5 minutes. Here’s how.
Launch your Visual Studio as an Administrator.
Then go to Tools > Command Line > Developer Command Prompt
You should get this screen:
OK, now let’s type some code. The idea here is to do a few things:
- Create a Certificate Authority aka CA
- Save that CA into our certificate store
- Create a Code Signing certificate aka SPC
- Convert that code singing from PVK to PFX
That will prompt you with the following window asking for a password to your CA
Once you create that password you will get another prompt to now provide it
You should get a “Succeeded” message
OK, now let’s install that Certificate Authority for our current user. This will add it to the certificate store and make it a trusted certificate authority on your computer.
You will likely get a pop up asking you whether you trust that CA and really want to add it into your store. Click “Yes”.
Your command prompt will now show that the certificate was installed successfully.
Now we can use that CA to generate a Code Signing Certificate
Again, you will be asked to create a password for your Code Signing Certificate
Then you will have to provide that same password like before
Only this time there is going to be a third pop-up asking for the CA password from the previous step. The CA is referred to as “Issuer” here.
If everything goes well, you should get the following message in your command prompt
So far so good. The last step here is to convert the Code Signing Certificate from the PVK format to PFX which we can then use locally or remotely in GitHub.
The “YOUR_PASSWORD” in the above command refers to a 3rd password. This is the PFX file password that protects the private key embedded in the file.
You will get a prompt to provide a password created in the second step. This is your Code Signing Certificate password.
That’s it! That should create your PFX file that you can now use with signtool, and code sign your Revit plugins for free! This self signed code signing certificate won’t expire for another 17 years so you should be good to go for a while.
Now, be aware of the fact that this self-signed code signing certificate is not the same as one issued to you by a 3rd party. I guess the level of “trust” here would be a little different, but in this particular case, I don’t think it matters to me. I am fed up with paying money to companies that have just atrocious customer support. If you are using these code signing certificates literally to just sign Revit plugins, then there is no reason to obtain one from a 3rd party and pay a hefty price for it on top of all the hoops that they will make you jump through.
I hope this helps some of the AEC development community out there save some money and time.