Posted on

The insane cost of code signing and SSL certificates delayed Putler’s next release

You haven’t seen updates from us lately, but we are working really hard in the background. I felt you deserve an update, so here goes!

Bug Reports from Multiple PayPal account support version

We received many bug reports after the initial multiple account version. We revised a lot of code to take care of them and are still testing and tying things together.


Along with that, we also added a few small enhancements – like showing only distinct dates in the sales grid. This reduces clutter and allows spotting date changes in the transaction list quickly. We also beefed up smart date options.

Another big performance / productivity improvement – which is still a secret

There is another big feature we have added, but I will write about it when we do the release! Ok, you can hate me till it’s released!

The real deal breaker – insane code signing certificate / SSL certificate costs

But what’s been holding us back from releasing an update is really the Code Signing Certificate.

Code Signing Certificate is like a seal of trust. We encrypt and sign each release with a Code Signing Certificate. We’ve been using a certificate from Thawte for a year, but it expired on June 10th.

Truth be told, I did not want to keep spending a ton of money on secure certificates. Adobe AIR code signing certificate from Thawte costs $300 every year. Mac and Windows are another $300 each. Thawte web server SSL certificates are another $250 for each domain. That’s a lot of money only on SSL certificates.

Searching for cheaper options

Google for cheap SSL certificates and you will get a boat load of results. There are lots of companies offering all kinds of SSL certificates – VeriSign, DigiTrust, GoDaddy, Comodo, InstantSSL, RapidSSL, GlobalSign – and many more. There are two things common though:

  1. They are all too confusing
  2. They are all still too expensive

So I had to look for more options…

And the winner is…


Start SSL website won’t create the greatest trust, but technically their certificates work and they are damn cheap – free! Start SSL charges for identity verification (rather than certificates), and that too is very reasonable.

While they even offer free SSL certificates, it cost us $120 in verification fees to get both a SSL certificate and a code singing certificate. And these are valid for 2 years, not just one. Not only that, the SSL cert is valid for multiple sub domains. And if I am thinking right, we can also issue certificates for our other domains. That’s a lot of savings!

Their support is good, and even their Founder/COO/CTO – Eddy Nigg – answers support questions.

Frankly, in more ways than one, StartSSL felt like us. Building great solutions, offering personal / human support, and trying to get big.

Technical Challenges

The transition wasn’t completely smooth though. Primarily because of the technical complexities involves with getting and installing certificates.

  • First I tried getting a free web server SSL. I created a Certificate Signing Request (CSR) using MediaTemple’s web interface. Start SSL issued the certificate. But it wouldn’t install on MediaTemple. I created a new CSR, but StartSSL said I already have a certificate for that domain name, and can’t issue another one without revoking the first. Revocation costs some $25 though! Yikes!! So end of the road.
  • I then verified personal identity by paying $60 to StartSSL. Went fine and quick (faster than Thawte actually).
  • I thought I must do a Code Signing Certificate before moving forward.
  • Last time, I had created the Code Signing Certificate using Thawte’s website. And did not fully know how to go about it. After doing some searching, we found one article that explained creating a CSR using Mac OS X Keychain Access application.
  • So I created a CSR using Keychain Access and submitted that to StartSSL. The cert was issued in no time.
  • Code Signing requires both a private key and a certificate though. This realization, which occurred late, caused some big roadblocks. Why? Because I couldn’t figure out how to get the private key that was used to generate the CSR from Keychain Access. Bamm!
  • Ok, so a new Code Signing Certificate right? Tried that and hit the “cert already issued for this identity” limit. $25 revocation fee.
  • So I went ahead and got the organization identity verified with an extra $60. Again, this went smooth – was completed in just a few hours.
  • By this time, we had researched and fully understood the process of obtaining and applying the code signing certificate. Essentially, generate a private key, generate a cert signing request using it. Send the CSR to certifying authority (StartSSL), get the certificate, create a pkcs12 key combination using the private key, certificate and a password, and use that .p12 file in Adobe AIR to sign the release. And yes, use the migration options to re-sign the release with our old expired certificate, so users don’t have a problem. Here’s a nice and clear explanation of how to do this using command line “openssl” tool.
  • So I felt it should be easy now. Went to create a new Object Signing Certificate (that’s what it’s called on Start SSL), but got the same error that I can’t create a new cert since one already existed on my account.
  • Time to ask for support once again. After a little back and forth, and discussion with Eddy, Start SSL guys revoked my original Object Signing Cert at no cost, as an exception.
  • I requested a new cert, got it immediately, and applied it.
  • All worked! Finally!

Good, so that’s taken care of – insane SSL costs are now a thing of past

It took me a while to get this going, and that caused delays, but now we have the certificate business taken care of.

Code Signing Certificate

What does that mean for you then?

And so, you can expect a release early next week! 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.