SSL certificate same as signing certificate?

Question

Is a code signing certificate the same as a SSL certificate?

Answer 1

A code signing certificate is essentially the same as a SSL certificate. Both are used to sign some data to prove that the data (software package or web page content) come from the "subject" of the certificate. There are 2 major differences that I can think of:

1. They have different "enhanced key usage" OIDs in the certificate. A code signing certificate can only be used to sign a piece of code. Nothing prevents you from signing with the wrong certificate, but the client (e.g. a web browser) will check all "enhanced key usages" listed in the certificate and reject the signature if the certificate does not contain appropriate OID (e.g. "code signing"). This means it's possible for one certificate to have both "code signing" and "server authentication" OIDs so that it can be used for both scenarios. But for security reasons nobody should do that.

2. SSL certificate becomes invalid once it expires. But code signing certificate gets some special treatment. For example, if you bought some software 10 years ago, the code signing certificate used to sign it probably expired today. But combined with a time stamping service, it's possible to prove the software package was properly signed 10 years ago.

Answer 2

No. Of course, SO won't let me just answer with "no" so we'll have to explain.

Basically, a code-signing cert gives you a private key that can be verified against a public key certified by a known authority. You make a digital signature with that key, and the other end can verify you had a cert from a trusted source when you signed it.

An SSL cert is just a signed "document" that can be verified as coming from a trusted source. You can't encrypt or sign with it because it doesn't have any key material that's yours alone; it's just a signed document saying "I certify that I trust who this guy says he is."