Self-signed Site Certificate Causing Trouble With Using Application at Work Causing Warnings with Security Suites

  • Chad


    I have not had download warnings since I've been using KeePass, up to v2.26, but when trying to download v2.27, Microsoft's SmartScreen filter, and both home and work security are complaining that your downloads are untrustworthy. When looking into it, it appears you are using a self-signed certificate instead of one purchased from a public trusted authority.

    Is this situation going to be temporary?

    I've been using your excellent programming at work for 5 years. I'd like to keep doing so.

    Please provide feedback on this so I know what to do. I don't want to use the sub-par application provided at work.


  • wellread1

    I suspect the Microsoft SmartScreen filter is not warning that the software is untrustworthy. More likely it is notifying you that it does not have sufficient information to make the determination. See the preceding link for additional information. There is also a recent post on the topic that you may find helpful at

    KeePass has never used a commercial certificate but it does provide a number of ways to verify that you have downloaded the authentic KeePass software that the KeePass developer (i.e. the guy that you trust) released. For more information see

    Note: If you are not satisfied trusting the developer, you need to audit (either personally or using a third party service) and compile the audited source code. Third party audits are very expensive and not practical for most open source projects.

  • Luckyrat

    There have been quite a few code signing certificate related questions here recently so I've fairly arbitrarily chosen this one to respond to.

    It is possible to get a free code signing certificate from Certum. I used that certificate a couple of years ago to sign some executables that I package with KeeFox. Prior to signing the executables, every time a new version was released, a growing minority of anti-virus and other security applications would flag them with varying levels of severity.

    It seems that the severity and frequency of these alerts is growing (and I know of some cases where the software entirely prevented the use of unsigned executables).

    Rightly or wrongly, many security tools treat unknown/new executables as less suspicious if they have been signed by a trusted code-signing certificate so the number of false positives shortly after a new release of KeePass would be reduced if the installer were to be signed by such a certificate.

    I found the sign-up process a little confusing (including a tendency for the English instructions to drift into Polish occasionally) but I wouldn't say it was difficult and I like to think they've improved it a bit in the past couple of years. is the place to go if interested. There's also a stack overflow answer with some step by step instructions that might be helpful: