Secure your Business Central extension code using a hardware token.

If you develop Business Central extensions, I’m quite sure you’ve published to AppSource. That is unless you exclusively develop on-premise extensions or stay within customer range. Anyways, we’re talking about publicly available extensions.

AppSource is a great platform, it is well-suited for Business Central. Microsoft has done a great job in Dynamics department. It must be very difficult for direct competitors to keep up.

Publishing to AppSource can be a very difficult endeavor, and each one of us have suffered through ever-changing requirements. Not only do you have to write generalized code, comply with localizations, fix bugs and then compile, test, and sign the code. But, this is where I ran into an issue. Of course, I’ve signed the code before, but my certificate had expired, and I went to go get a new one. I thought that I’d just have to go to the place where I’d gotten my last certificate and get a new one. Little did I know, I could no longer just buy my certificate and download it.

Some new standard had been introduced to improve all our lives to make things more secure and safe. Of course, we love safety and will do anything to comply, after all, what choice do we have? I had to go do some research, I found that apparently “Starting in May 2023, new industry requirements from the CA/B Forum require that all code signing certificate keys are stored on an HSM or compliant hardware token.”

What a surprise, I thought that I was going to get my certificate within 30 minutes. Turns out that the most usual form that this hardware token takes shape is as a USB stick. I’m not sure if this USB has any specialized chips or whatnot, but I needed it yesterday. So I decided to go ahead and buy it. It’s worth noting that it used to cost around $99 a year for this Code Signing Certificate, which was an entirely fair price for authenticating yourself and your code. To my surprise, the new price for this more secure way to improve our lives is going to cost me over $300 a year.

What a rip-off, I thought. I almost didn’t want to buy it, but I had to. If didn’t buy it, customers weren’t going to get their improved extension which already had changed their lives. So I processed the order and the fun began, I had to authenticate myself through email, of course, and the certificate issuer had to do some sort of “validation” process. I’m guessing that they checked the validity of our company, D-N-B profile, maybe FEIN, and such.

Outside of being overly concerned with this new process and price, my urgency to get my certificate lead me to call customer service and ask them if I was doing everything correctly and if there is anything I could do to expedite the process. Few things were remaining, and one of those things was a requirement to send in a selfie while holding an ID. Yes, they wanted a picture of me while holding my driver’s license. What a genius way to issue a certificate, they would know what I look like if my code ends up somewhere at the wrong place at the wrong time.

I would be found in no time. So, I took my driver’s license and phone, positioned myself into the front facing camera and snapped a picture, and uploaded it to my account. Turns out the driver’s license wasn’t readable, it was too blurry to be acceptable to issue a code signing certificate. What could I do other than take another picture, which I did, and it was now acceptable.

Now I just needed to wait for the USB and I couldn’t help but imagine the difference between now and then. Just a short year ago, I was able to get my certificate near instantaneously. Now it has to be shipped to me, and before it does I have to jump through many different hoops, which seems entirely unnecessary to me. Anyways, a day or two later I got an email saying that my certificate was in the mail. In the meantime, we had customers waiting to get an important update. We had fixed a few bugs and added features, and now we were ready to publish, but we didn’t realize that our certificate had expired. Yes, I had missed the date, it was there on the calendar, and I had ignored it, I thought, “I will do it when I get a few minutes,” after all it would only take few minutes out of my day.

This code signing certificate, while being the exact same certificate, is a whole new process and I’m sure it’s great and secure, but now I can’t just download or generate a pfx file, share it with my developer colleagues and sign away. I will have one USB and if my colleagues are in different countries, there wouldn’t be a convenient way to get the USB to them. This means that we’ll all have to share one USB, so perhaps we could plug it into a server and sign our apps from that server. Perhaps, we’ll see when I get it. In the meantime, I had a 3-week vacation coming up, and the USB would arrive a few days after I left. So, I told my colleagues at the office that the new certificate is coming in the mail.

It took a while to receive the certificate, and when I got notified that it’s here, I immediately asked my colleague to turn on my computer at my desk and insert the USB. I could access my computer remotely since it was on GoToAssist. Very convenient while you’re away on vacation, and a great way to access client’s computers or your own.

The only way to access my certificate was to install a utility software onto my computer. This utility is luckily documented on the certificate issuer’s website and was a no brainer to install. I had never ever dealt with hardware keys, so this procedure was all new to me. “How do I generate my pfx file now?” I thought. The utility showed me the certificate, I saw it, and it looked like a version of Certificate Manager on my computer, but within this utility and only one certificate is there.

All new, and unfamiliar. I tried to export it as a pfx file, after all, the command we use to sign it states plainly in one of its parameters to specify a path to pfx file. I wasn’t able to export the pfx, so I decided to log a ticket with the company I bought it from, maybe they know something I didn’t, at this point I had considered that I knew just about nothing about this new process. So, sometime later an official answer came from Sectigo, “it is not possible to export pfx file because the private key on this hardware device is not accessible.” Ummm, what do I do then?

Perhaps we can use another command to sign the certificate? One without specifying the pfx file? Some research later, a quick decision came to my mind, follow-up on my ticket and ask Sectigo support “what do I do then?” when a pfx file is not possible, what do I do? According to my research we could use the certificate hash within the Sign command, almost like specifying the path, except more securely, I guess. Turns out there are many more switches available. If all you do for your job is code signing, definitely learn them all. Some of them surely could change your life forever. So, after some failures with my code signing adventure, a response from Sectigo gives me another suggested command with some different switches and parameters.

SignTool Error: This file format cannot be signed because it is not recognized.

A careful read of the command gives me some hope that this may just work, and we can finally publish the extension. Well, it should have worked, but it didn’t, I had gotten some weird error. But, I remembered I saw a switch that controls the level of output this code signing produces. I added the switch and got no further, the same pesky error continued to roadblock me. Roadblocks are meant to be solved in our industry, so I wasn’t going to let this one block me. My next question I was asking myself was “Am I using the right CodeSign.exe?” Maybe my Windows SDK is some old version and it’s not yet aware of this new code signing requirement that just got implemented. It seemed like a brilliant idea. It makes sense and therefore my colleagues and I explored it.

A quick search revealed that indeed I could use a newer Windows SDK, so of course we downloaded it, installed it and tried to sign again. And I try just that, and still received the same error and the same roadblock wasn’t solved. At this point I zeroed in on the CodeSign.exe, and its properties can show its version, last date modified, and whatnot. It had occurred to me, what if this new version I just installed placed the file somewhere else on my c drive. Sounds reasonable and logical, and therefore I explored it further. “Where can I find codesign.exe in windows,” I asked a search engine, and it answered with few options. Following the path from one of the options reveals that there is another codesign.exe in that folder.

C:\Program Files (x86)\Windows Kits\10\App Certification Kit> signtool sign /sha1 [your certificate thumbprint] /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n [Your Organization Name as Appears on Certificate] “:\path\to\fileToSign.exe”

It now only made sense to run my command from this location, which is again a reasonable and logical option, which is immediately executed. And this time successfully, the output said, “Signed Successfully”. Finally, after all this time, I couldn’t believe it. Signed, while on different continent, from my computer on the other side of the planet, using a certificate on a super-secure USB.

Get the help you need by calling us today! Our expert team is ready to assist you with any questions or concerns.