QuickBooks

Revoked Certificate Errors With QuickBooks Desktop Apps

Written by Charlie Russell

QuickBooks desktop users running older versions of some desktop add-on products are starting to run into problems where they cannot get these apps to connect to QuickBooks. This started with a small number of users, but it is becoming a bigger problem as time moves on.

Charlie Russell will be presenting the session, Recent Developments in QuickBooks and Looking Ahead, at Accountex 2016.

You may find that you are confronted by this error dialog when running the add-on program:

Revoked Certificate Errors with QuickBooks Desktop Apps

Code Signing Certificates

Desktop software products can be “digitally signed” with a code signing certificate. This is a security feature that was originally set up in the 1990s to provide a way to verify that the software that you install does indeed come from the publisher that you expect. It is a good thing!

When you have requested an add-on product to connect to the QuickBooks database, QuickBooks will look to see if the software is properly signed. There are three possible outcomes:

  • The software can be properly signed, and you can let it connect to the database (or not, if you don’t want it to).
  • The software can be unsigned. If this occurs, QuickBooks will point out that it isn’t signed and that there is some possibility that the software isn’t what you expect it to be. However, you can still let it connect to your database.
  • The software could have a “revoked” certificate. That is, for some reason, the software developer or some other authority has withdrawn support for the certificate. In this case, QuickBooks won’t allow the software to connect.

The problem is, the cryptographic method used to protect code signing (SHA-1), which has been used for many years, is getting old. With modern technology, researchers have shown that it can be broken. So, Microsoft is telling software developers that they need to upgrade their certificates to a newer, more secure version: SHA-256.

Why This Breaks Some Software

Microsoft has started rolling out updates to Windows that will invalidate older SHA-1 certificates. At this time we are starting to see this occur in Windows 10. I’m not sure which update to Windows 10 includes this change. Some Windows 10 systems aren’t showing the problem, others are.

These updates should also be rolled out to Windows 7 and Windows 8 in the coming months.

When your Windows system gets this update, any SHA-1 certificates will be deemed invalid.

So, if you are running a version of an add-on program that hasn’t been updated to a SHA-256 code signing certificate, at some point in the near future you are going to see that “Revoked Certificate” error showing up. You won’t get any warning – one day the software will work, the next day it will stop. The problem isn’t that the software vendor “revoked” their own certificate. The problem is that you are running an older product. Windows no longer accepts the certificate and QuickBooks won’t let the software access your data with that certificate.

The odd thing is that if your software was not code signed, you wouldn’t have this problem! QuickBooks will let unsigned software access your data, which is less secure than allowing a product that has the older, less secure signing.

Update Your Software, If You Can

Developers can update their software from SHA-1 to SHA-256 by spending some money for a new certificate, and then generating a new version of the software. For many users, this just means that you need to upgrade your add-on products if you haven’t already.

Some developers may charge you a fee to move up to their latest release.

Unfortunately, there are some software products that people are using that cannot be updated. Some products just cannot be updated for technical reasons – they are too old, the components that they use are hard to update, or it might not be economically feasible to update. In some cases, users may be using software from companies that are no longer in existence.

I’m bringing this up now because it is a problem that is going to grow, and you need to prepare. If you are using an add-on product, ask the developer if they have updated their product. You don’t want to be caught by surprise when your add-on suddenly stops working without warning.

In many situations, upgrading from SHA-1 to SHA-256 isn’t difficult. There are expenses involved, such as purchasing a new certificate, and in generating a new version of the software.


Save pagePDF pageEmail pagePrint page

About the author

Charlie Russell

Charlie Russell has been involved with the small business software industry since the mid 70's, and remembers releasing his first commercial accounting software product when you had an 8-bit microcomputer with one 8 inch floppy disk drive. He has a special interest in inventory and manufacturing software for small businesses. Charlie is a Certified Advanced QuickBooks ProAdvisor with additional certifications for QuickBooks Online and QuickBooks Enterprise, as well as being a Xero Certified Partner. Charlie started blogging about QuickBooks in 2008 (Practical QuickBooks) and has been the managing editor and primary writer for the Accountex Report (formerly the Sleeter Report) since 2011. Charlie can be reached at [email protected]

Visit his CCRSoftware web site for information about his QuickBooks add-on products. He is also the author of the California Wildflower Hikes blog.

6 Comments

  • If Intuit isn’t careful, they’re going to get bitten by this one directly as well. Their manual update patch files are currently being signed in a way that is vulnerable. The Intuit certificate is SHA-256 but they are still using a SHA-1 digest and timestamp server. I believe these will start failing Jan 1, 2017 according to Microsoft’s current timetable.

    Intuit should already be dual-signing any new executables and DLLs with SHA-1 and SHA-256 to avoid these issues, but I’m not seeing it.

    From Microsoft:
    “Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.

    This restriction will not apply to the time-stamp certificate used to time-stamp the code-signing certificate or the certificate’s signature hash (thumbprint) until January 1, 2017. After this time, Windows will treat any code with a SHA-1 time-stamp or SHA-1 signature hash (thumbprint) as if the code did not have a time-stamp signature.”

    • Updates won’t be an issue unless they don’t make this change by next January. Supposedly they have time. And, in any case, you can always download a fully patched installer instead of using the patch files.

      And who knows how it will work? Microsoft says one thing, but sometimes that isn’t how things work in real life. Some of what they are saying relates to web based products, not desktop products. And, supposedly the problem I’m relaying here shouldn’t occur at THIS time if the code has an older timestamp – but that hasn’t been the case. What Microsoft says isn’t exactly how things seem to be working out.

      I’m not that worried about currently supported products, developers will see the problem and have to fix it quickly. So it will just be a transitional issue. What I’m more concerned about is products that are discontinued, that are no longer being updated but that a business is depending on. Also, people running older versions of products will have to update to a new version, and sometimes that involves a cost (both dollars and perhaps conversion time).

      • I mostly agree, Charlie. I imagine Intuit will get up to speed at some point. But even their full installers aren’t fully SHA-256 signed last I checked.

        One option for a business with an add-on being blocked in QB due to a SHA-1 signed exe, is to re-sign it using Microsoft SIGNTOOL’s recently added feature that appends another signature using SHA-256 (this is essentially how dual-signing works). Obviously this isn’t a solution for the average user, but for a business in a bind with no better options, it would work. They could either purchase a code-signing cert, or create a self-signed cert for private use. The latter is more complicated but would save the hassle and expense of obtaining a commercial cert.

  • I’m running an older QuickBooks Simple Start for a small business. I have not desire to join the online route. The other day I cloned my harddrive and transferred the contents to a ssd. QuickBooks wouldn’t open throwing an error message about the license number. I uninstalled and tried several times to reload but kept getting an invalid license number. I switch to my old harddrive and the program came up no prob . Is there some type of place in my computer that is refusing to load the program a second time. I’m currently running the old drive until I can figure out what is the problem.

    • You generally can’t clone software products like this. There is a license file that has information about your hard drive, and on the cloned system that isn’t going to match, so you’ll run into trouble. Do you have the original CD that you used to install from, originally?

      Simple Start is no longer available (at least in the US), so you may find that you need to move up to QuickBooks Pro.

  • I wonder if you (or anyone else reading the comments) has noticed a big slowdown in connections and data retrieval with online banking (from the Desktop quickbooks). It seems like it takes about twice as long as it used to, regardless of how much it is retrieving. Any word or idea on what’s up with that? I know this could be my bank’s problem, but there’s no real way of testing that.

Leave a Comment