The authenticode digital certificate I bought back in 2019 expired recently, so I had to get a new certificate (you can’t renew a certificate, as such, you just need to buy a new one). A few months before the expiry I emailed KSoftware.net, who I had bought previous digital certificates from and with whom I had always had a good experience in the past. No reply. I tried a couple more times, including the personal email of Mitchell, the founder. Nothing. Someone else told me they had had similar experiences. Their recent trustpilot ratings are a horror show. And the copyright date on their website is ‘2003 – 2021’. But they were still advertising on Google Adwords. I have no idea what is happening here. If you are reading this Mitchell, I hope you are ok.
With KSoftware out of the picture I looked elsewhere. Eventually I ended up buying a new Sectigo certificate from signmycode.com. I partly chose them because they offered a 5 year certficate and the less often I have to go through the ball ache of a getting a new certificate, the better. The experience was decidely mixed.
The good:
- The prices seem reasonable, compared to other options.
- Support was responsive. English didn’t appear to be their first language, but it was good enough.
- I got my new certificate within a few days and have had no issues with it so far. The change in certificate seems to be set off a few customer’s anti-virus software, but that was to be expected.
The mediocre:
- The online guidance and documentation on the process was mediocre, at best.
- I was a bit confused about whether I had to click ‘Buy now’ or ‘Renew now’. It seems this is more marketing/SEO purposes and it doesn’t matter which you click.
- I had to send them a photo of me holding a government ID. This felt pretty uncomfortable, but might be something mandated by the certificate companies.
The bad:
- After I got my certificate I checked the expiry date and it was only 3 years. When I queried this I was rold that the ‘5 year certificate’ I thought I had bought is not a 5 year certificate. It is a 3 year certificate, then I have to apply for a new pre-paid 2 year certificate in 3 years time.
This is what you see when you click on ‘Buy now’:
When you see this, wouldn’t you expect to get a single 5 year certificate? If there was anything explaining that this was 2 separate certificates, I didn’t notice it. It certainly didn’t mention it on their home page. This feels deceptive to me.
Who knows if this company will still be there in 3 years time? I emailed them and told them I wanted to keep the new 3 year certificate and for them to refund the 2 year certificate. They said they would only refund the entire order and then I would have to start the whole process all over again. They also claimed:
“renewal validation is much more easy then buying a new certificate as most of the validation part is getting carry forward.”
We’ll see. Buyer beware.
See also: The great digital certificate ripoff?
** Update 08-Mar-2023 **
Michell of KSoftware has contact me to say that he is alive and kicking. Read the comments below for more details.
Successful Software 
I just checked my cert from two years ago that I have purchased from KSoftware as 5 years long. It is 3 years. I never noticed that, strange.
And the other thing I remember after renewing is Windows SmartScreen reporting all installer signed by the new cert as not trustworthy. It was so bad I went and purchased EV certificate which worked straight away and the other one started to work after a month or so. I dread the moment I will have to do this again next year (which I hoped would be in 3 years from now…)
Hi Piotr, that shouldn’t be the case. Email me at mitch at ksoftware dot net and I’ll look it up. The 5 year certificates stopped in 2018 I think but I’ll make sure you get the full term, even if we have to issue you another cert.
Wow, thanks, will do that!
And… I was wrong, I mixed up the emails. I saw the order for 5 years, but it was the one I bought before the last. The one from 2021 was 3 years, so all is good. Sorry for the mix-up.
I double-checked the orders and you are correct and I am wrong, the last one (2021) was for 3 years, I was looking at the wrong email (from 2016!)… I am sorry for that.
I hope you can get the extra 2 years you paid for. Good luck getting any response from KSoftware though.
I haven’t had many reports of problems with the new OV certificate, so far. Also I made sure to warn customers in advance in my newsletter that it might be an issue.
I’ve used KSoft for a while and I’ll have to renew my cert this summer. Good to know they are not reliable at the moment.
OV certs need quite a bunch of downloads to be considered trustworthy. Back 5+ years ago it was a few 100 downloads, a few years ago it was more like ~1000… quite high number for a tiny vendor like me. And trust me I have measured: if your exe is not signed, you are losing out on a LOT of sales.
If your cert has expired, you cannot release anything new until you get the new cert approved.
Basically I let low conversion rate countries to download installers with my new cert until it gets approved by smartscreen, then I start using it everywhere. Shameful process…
>Basically I let low conversion rate countries to download installers with my new cert until it gets approved by smartscreen
Interesting idea. Is there some Javascript on the download page to decide who gets which download?
My download system is tricky. It’s served by a PHP script. I have my very own webtraffic logging system which finds the country right away by the IP address. My download PHP sees which country is downloading it and therefore can decide which exe version to return.
Also baffled by K-software which I had used for ages.
The bummer is that to “fast track” the renewal process (you needn’t provide identification if the old code signing certificate is <= 3 years old), you need a sectigo reference number, and I only have k=software reference numbers…
I think I provided them with the old Comodo order number that I found in an email from a previous purchase. Maybe search your mailbox for Comodo / Sectigo emails?
but you still had to supply all the “face-2-face” identification? Did you register as individual or company?
I had to supply some details and a photo. I registered as a company.
btw the “mugshot” is a sectigo requirement. I registered as individual though, not as embarrassing as the company CEO having to do a mugshot :)
Hey Nikos! I’m still kicking. Though the rumors of my demise were exaggerated, they weren’t unfounded. Had a bit of a hostile takeover situation with the support system too, I made the mistake of trusting folks to run things well while I was away. Definitely let me know when it’s time to renew but yes – the rules have gotten MUCH more strict industry-wide, and many of the loopholes we once could exploit are gone now. Phone number verification, ID with address, all of those are hard requirements now you’re going to see from any CA. I’m going to do my best to still offer the best pricing to fellow developers though!
Hi folks, I reached out to Andy to let him know what was going on but thought I might as well post here too. Indeed, 2022 was a nightmare year for me. Medical and personal problems, and a bit of a ‘hostile takeover’ situation with the people I hired to look after things while I was away. The medical is more injury than illness and thankfully after a long road, I’m on the mend.
With the rule changes the CA/B forum has been shoving down our throats means that many people that qualified for code signing certs before just don’t now, and that’s the source of almost all of the bad reviews (well that, and the fact that I’d been locked out of the ticket system until yesterday). People have every right to be ticked off at that and in the end it is absolutely my fault, but I didn’t realize what was going on with all of that until recently. I’ll be busting @%$ to get caught back up but plan on still offering discounted code signing certs to fellow developers for many years to come.
I told Andy this but there is no such thing as a 5 year code signing cert anymore. The CA/B forum limited maximum validity to 3 years some time ago. If anyone got a cert from me that they thought was 5 and was only 3, please let me know and I’ll make it right however I can. That *shouldn’t* have happened as I never intentionally oversold them like the reseller Andy went with does. I don’t know how they’re going to honor that either as there is about to be a MASSIVE change in code signing as the CA/B forum has now mandated that *all* code signing certificates be issued on tokens. That goes into affect soon, but I’m going to send out some extremely discounted order links for new 3 year digital-only OV certs for those that want them before the switch (I believe it’s slated for June 1 as of right now). That’s going to throw a MAJOR wrench into the plans of all of the resellers that oversold like that as the pricing is dramatically increasing across the board.
It seems your return was short lived Mitchell. I have tried to contact you a while ago and still no reply. Disappointing.
Hi MitchellGreat to hear you’re back in the saddle now. Had us quite worried for a while. :)
Hi Mitch,
Great to have you back. Does someone monitor your inbox?
I’ve sent you a few e-mails but didn’t get an answer.
Soon I need a renewal for my certificate.
Thomas
Which browser in Windows you are now using to acquire / download certificate files. Because IE is now retired. Does certificate process works with IE-mode in Edge?
Forgotten what the exact process was. But I didn’t use IE or (IIRC) Edge.
Tried to order a new code signing cert at KSoft (already ordered about 3 times in the past) but the system appears dead. My credit card was rejected with a nonsense paypal error message.