Windows authenticode certification expiry

[rvagg]

Your DigiCert certificate expires in 89 days.

Certificate Details
Requested by: Rod Vagg
Common name(s): Node.js Foundation

You can renew your certificate by going to https://www.digicert.com/secure/orders/2077763/

It's going to be ~$1.5k to renew for 3 years I think. This will need someone with access and who wants to interact with the foundation to drive it forward and get a renewal. There is also the question about renaming the Foundation name too like we've been looking at for our Apple account.

[mhdawson]

I've emailed @brianwarner (and included @joaocgreis) to loop him in so that the Foundation can pay directly like we did in some other cases recently.

[mhdawson]

Have a meeting tomorrow to see if @brianwarner and me can renew.

[mhdawson]

@rvagg I got together with Brian today but I need a bit more help/context to complete the renewal.

Specifically its asking for a CSR as part of the renewal.

I've found the file " Node.js Foundation Microsoft Authenticode Certificate.txt" which I can decode and get the p12 from. From there I can get the private key.

A few questions

1. I assume we re-use the existing private key ?
2. In the past have you created the CSR on windows or is it ok to create it with openSSL on linux? (If so looks like I can I can use -> openssl req -new -key key.pem -out req.pem)
3. We were going to change the org to the OpenJS Foundation from the Node.js Foundation, I assume that is not going to be an issue.
4. I assume they send us back a new p12. that I would then add to secrets in a manner similar to how the existing one is saved.

[rvagg]

OK, considering that years have now gone by, this is off the top of my head and with very little memory of how this all went down originally:

1. I assume we can re-use the private key, maybe there's a case for best practice being to generate a new one, but then we also have to roll it out into our infra (although maybe we need to do that anyway?)
2. I probably just used openssl to make it, I don't know if the CSR needs anything special that you can't do with openssl, but I'm sure there's docs out there about what the CSR needs. I doubt I have any record of the original CSR, it's not something I usually save (although it might be nice to start doing that so we don't have to make it up every few years!).
3. No idea, my guess is that there will be pain involved! It's like an EV IIRC so there's going to be an authentication process with hoops to jump through. Best look at their docs or contact them (DigiCert).
4. Yes, IIRC the p12 was the outcome of the process, probably via email.

[brianwarner]

Cool, thanks @rvagg. On 3), we followed Digicert's advice to handle an organizational name change by adding a new org vs. replacing an existing one. I've let LF folks know they may be getting a verification request. Worst comes to worst, we can renew for a year on the old name and then deal with it again next year.

[nschonni]

1. I assume we can re-use the private key, maybe there's a case for best practice being to generate a new one, but then we also have to roll it out into our infra (although maybe we need to do that anyway?)

They're saying new https://docs.digicert.com/manage-certificates/code-signing-certificate/renew-code-signing-certificate/

[mhdawson]

@nschonni it says best practice is to "generate a new CSR", that's different than generating a new private key unless I missed something.

[mhdawson]

@joaocgreis can you chime on on using a new versus the existing private key and what needs to be installed once we get the new certificate?

[joaocgreis]

@mhdawson when we renewed 3 years ago I had to install the new certificate in every machine, so I don't think the private key makes any difference.

I can install the certificate when you have it, please update the secrets and let me know. Essentially, it's just remove the old one, install the new one, and test building to make sure everything is ok. Note this is only for the release machines.

[mhdawson]

ok So I'll create a new key, and then request the cert.

[mhdawson]

Certificate requested, will update when we receive the response

[mhdawson]

On with chat support at Digicert, seems we still need the verification process to support. They need to call the public number for the foundation. Unfortunately there was no answer when I tried, so suggested the leave a message to have them call back. Will ping Brian to hopefully make sure they know the context.

[brianwarner]

Yes, it's a voicemail line, so they need to leave a message for a callback. They can also call me directly, if that's sufficient.

[mhdawson]

Still looks like it is in pending, trying to contact support again.

[mhdawson]

Called in to support again today. What I've been told is that they called the Foundation number and left a code which somebody needs to call back with in order to complete the validation. @brianwarner I think I need you to follow up on that

[mhdawson]

Received the email today with the cert, have raised to update in the secrets repo.

@joaocgreis over to you to update the servers with the new p12 file.

[joaocgreis]

Updated, done. Thanks @mhdawson

[richardlau]

@joaocgreis I suspect the new certificate is behind Windows flagging the most recent installers as unsafe: nodejs/node#35539
Do you know if there's anything we need to do to prevent that?

[joaocgreis]

I have reported the files as safe, let's see if it solves the issue.

[rvagg]

iirc it took a few days of our original cert in the wild and enough people to mark their installs as OK for Microsoft to start flagging it as OK