I am developing a Windows WPF app that I intend to sell when it is ready. I need to sign the binaries (EXE & DLL's). Is there any way that I can use Let's Encrypt certs to generate a PFX file?
If not, do you know of anyone who issues free certs that I can use to generate PFX files?
THANKS.
Hi @wally96334, and welcome to the LE community forum 
You are asking two very different things:
"I need to sign the binaries"
[ code signing ]
"do you know of anyone who issues free certs that I can use to generate PFX files?
[ .PFX files are certificates ]
LE certs aren't able to be used for code signing.
All LE certs can be converted/transformed into .PFX files.
Hello @wally96334, welcome to the Let's Encrypt community. 
More details please.
Let’s Encrypt offers Domain Validation (DV) certificates.
Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?
Code signing isn't one of them.
You need an ACME Client or implement one your self in the .EXE & DLLs;
The RFC is here RFC 8555 - Automatic Certificate Management Environment (ACME)
Likely you will want a look at these CA/Browser Forum and the Baseline Requirement .
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Thank you for assisting us in helping YOU!
Unfortunately you can't use Let's Encrypt certificates for code signing (Certificates have a set of purposes that the CA validate them for use with, in the case of LE certs that's just server identity and client identity based on domain name)..
Traditionally you would purchase a code signing certificate from Comodo/Sectigo etc - this now involves proving your own identity, usually things like submitting a photo of your government ID next to yourself etc.Recently Code Signing has gotten a little more complex because there is a requirement for private keys to be held in hardware security modules nad increasingly people will need to use cloud services that have this setup for them. An example is Azure Code Signing (currently in preview), which I will probably move to myself eventually.
This will really put a damper on things like shareware/freeware.
I hope someone, someday, can figure out a way to get around this issue.
Thanks for the replies.
It's been a problem for about 20yrs to varying degrees. The easiest way to publish signed software is to publish through the respective platform apps stores (like Windows Store, Mac Store etc) because those distribution channels handle the signing.
Plenty of tools (hundreds of thousands, if not millions of them) are still distributed as standard downloads with no signing and they just put up with the OS warnings, it's an impediment but it's usually not a blocker.
I have to agree with Christopher [@webprofusion].
I'd much rather install an app from a "trusted store" than from "Random Internet Software Company" [even if that software is "signed" by them].
The signature [to me] only means no one else has messed with it - it doesn't mean it is NOT malicious.
Much like the lock provided by HTTPS - it doesn't mean the content is safe, it only means you are getting the original content without anyone tampering with it along the way.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.