It all began slightly over a year ago.
One of the software options our company offers to consumers is an Adobe AIR application. You can use it to create photo books with. After ordering, we will physically produce it and send it to your doorstep. That's our business, after all. Our AIR application was deployed first in the beginning of 2008.
To make it look good, we signed the code with a certificate in May of that year. Certificates typically have a limited period of validity. In this case, we bought a certificate that expired after a year. So, by March 2009, we had to renew the certificate.
Why can't you just sign it with a new certificate? Well, if you use a new certificate, then the update mechanism of Adobe AIR will think it's a new application. AIR generates a Publisher Key based on lots of information in the certificate, including the subject information (that's us, in this case). If the Publisher Key is different, you can't update your existing install base anymore. Literally, all the consumers that already installed the application will have to be asked to re-install it. Obviously, this will result in losing a lot of customers and subsequently losing money.
One of the software options our company offers to consumers is an Adobe AIR application. You can use it to create photo books with. After ordering, we will physically produce it and send it to your doorstep. That's our business, after all. Our AIR application was deployed first in the beginning of 2008.
To make it look good, we signed the code with a certificate in May of that year. Certificates typically have a limited period of validity. In this case, we bought a certificate that expired after a year. So, by March 2009, we had to renew the certificate.
Why can't you just sign it with a new certificate? Well, if you use a new certificate, then the update mechanism of Adobe AIR will think it's a new application. AIR generates a Publisher Key based on lots of information in the certificate, including the subject information (that's us, in this case). If the Publisher Key is different, you can't update your existing install base anymore. Literally, all the consumers that already installed the application will have to be asked to re-install it. Obviously, this will result in losing a lot of customers and subsequently losing money.
So, we needed to renew it. Definitely.
According to Adobe, there are two ways to re-sign an AIR application.
- Option 1: you can migrate your certificate from the old to the new certificate. In that case, you can actually change the contents of the certificate, like your own address and such.
- Option 2: you can renew a certificate. This means you create a certificate that is exactly the same as the old one and use it to re-sign. The application will think it's the same certificate.
In June, the original certificate was already expired. Then we found out, that for some reason, migrating from an expired certificate can't be done in Adobe AIR. It just fails. So, we tried to do a "renewal" instead - which is the Adobe equivalent of "just sign it". It didn't work either. After careful examination, the street number of our company address was formulated a bit differently, which caused the Publisher Key to be different. How did it happen? I don't know - I didn't change a thing.
We tried to explain this to our certificate provider. They didn't understand a word. It took two weeks of daily frustration to finally get a new certificate that supposedly contained the right information to get the same Publisher Key as the original certificate. The associated customer service thread holds the record for the longest thread I ever created.
Finally, we got the new certificate - one week before D-day. By clicking the retrieval link in my mail, I opened it in my default browser. That's Google Chrome. Then, the craziest thing happened. By doing so, I spoiled my certificate - apparently, it's IE only - and it's one try only. The provider never told me, nor did the page do a browser-check. So, I had to apply for it again.
It was the day of our deadline when I got it. We tried to sign the application, and guess what? It didn't work. Andno, I don't have a solution yes, I do have a solution!
It was the day of our deadline when I got it. We tried to sign the application, and guess what? It didn't work. And
Blogging about it makes one think. After some further research by a very dedicated developer, the new certificate worked! Apparently, the last bits of this ordeal failed because of an unfortunate certificate mix-up - that's what happens with three different certificates sitting on a server.
We are only two days late now. As Winston Churchill put it: if you go through hell, keep going.
