Certs, TLS and SSL, and S MIME - Dleifnesor/NET-215 GitHub Wiki
SSL/TLS vs S/MIME vs Code Signing Certificates
This document compares three major certificate types:
- SSL/TLS Certificates (for web encryption)
- S/MIME Certificates (for email and identity)
- Code Signing Certificates (for software authenticity)
Also includes a researched comparison of:
- Wildcard SSL Certificates vs Subject Alternative Name (SAN) Certificates
Certificate Comparison Table
| Feature | SSL/TLS Certificate | S/MIME Certificate | Code Signing Certificate |
|---|---|---|---|
| Primary Use Case | Secure websites (HTTPS) | Secure email communication | Authenticate signed software |
| Used on GitHub? | For HTTPS on github.com |
For commit signing (optional) | For signed releases (optional) |
| Data Encrypted | Web traffic | Email content | No (used to verify software, not encrypt) |
| Used to Sign Code? | No | Possible for Git commits | Yes (binaries, installers, etc.) |
| Format | X.509 (.crt, .pem) | X.509 (.p12, .pfx) | X.509 (.pfx, .p12) |
| Verification Target | Server identity | Email sender identity | Publisher identity |
| Trust Anchors | Browsers / OS CA stores | Email clients | OS and software trust stores |
| Common File Extensions | .crt, .pem, .key |
.p12, .pfx, .pem, .cer |
.pfx, .spc, .pvk, .cer |
| Revocation Support | CRL, OCSP | CRL, OCSP | CRL, OCSP |
| Visibility on GitHub | Under HTTPS | Verified commit badge | For tagged releases (external) |
Code Signing Certificates
What They Do
- Used to digitally sign executables, scripts, and software packages.
- Confirms the identity of the publisher and ensures the code hasn’t been tampered with.
- Most common for Windows
.exe/.msi, macOS apps, and browser extensions.
Example Use
# On Windows using signtool
signtool sign /f cert.pfx /p your_password /tr http://timestamp.digicert.com /td sha256 /fd sha256 your_app.exe
GitHub Context
- Developers often sign compiled releases before uploading to GitHub Releases.
- GitHub does not require or verify these signatures directly, but users and OSes can.
Git Commit Signing with S/MIME (Recap)
# Configure Git to use your S/MIME certificate
git config --global user.name "Alice Example"
git config --global user.email "[email protected]"
git config --global gpg.format smime
git config --global user.signingkey /path/to/cert.pem
# Sign a commit
git commit -S -m "Signed with S/MIME"
Wildcard SSL vs SAN Certificate Comparison
| Feature | Wildcard SSL Certificate | SAN (Subject Alternative Name) Certificate |
|---|---|---|
| Subdomain Coverage | All subdomains of a single domain | Explicit list of domains/subdomains |
| Example Coverage | *.example.com → a.example.com, b.example.com |
example.com, www.example.com, mail.example.org |
| Root Domain Coverage | Yes | Yes |
| Cross-Domain Support | No (single domain only) | Yes (multiple domains allowed) |
| Ease of Management | Easy (single wildcard covers many) | Must reissue to add domains |
| Common Use Cases | Large websites with many subdomains | Multi-domain websites or services |
| Example Providers | Let’s Encrypt, DigiCert, Sectigo | Let’s Encrypt, DigiCert, GlobalSign |
| Cost | Generally lower | Often more expensive (depending on SANs) |
When to Use Which?
-
Wildcard Certificate
- Best for managing many subdomains under one root domain.
- Example:
shop.example.com,api.example.com,blog.example.com.
-
SAN Certificate
- Best for managing multiple root domains or mixed domains.
- Example:
example.com,example.net,api.otherdomain.com.