Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Code singing jar files by 3rd party.

  • 06-07-2015 5:28pm
    #1
    Registered Users, Registered Users 2 Posts: 1,775 ✭✭✭


    Been asked to issue a code signing certificate for *.example.ie to one of our 3rd party java developers that occasionally develops applets for us here.

    Now from me coming from issuing certs for servers this seems strange. Are code signing certs typically wildcards ? Are there any security implications for assigning such a cert for my company? Anything I should know?

    Oh yea as we're under contract with the 3rd party we trust them.


Comments

  • Registered Users, Registered Users 2 Posts: 1,275 ✭✭✭bpmurray


    I don't think they even need to specify the class names - you typically sign an entire jar file. Normally you have to ues a keystore, but it's reasonably flexible. Have a look at Digicert's explanation and at using a p12 file.


  • Closed Accounts Posts: 8,015 ✭✭✭CreepingDeath


    Sebzy wrote: »
    Are code signing certs typically wildcards ?

    No.

    An SSL cert for HTTPS is typically to identify the server (host) and serve as an encryption key.

    A code signing certificate identifies that that Jar file came from a specific person/company unmodified.

    So the code signing cert is typically not server/host specific.
    The cert will typically be in your companies name so that when the applet executes it asks "Do you wish to trust <Acme Company>?".

    If you purchase a code signing cert from a certificate authority you're okay.
    But if you create your own self signed certificate, then you may have to tell each of the users who run the applet to import your certificate into their Java keystore.

    Warning: Java applets are old technology and browsers are becoming more aggressive in blocking them. So I certainly wouldn't be creating new Java applets if at all possible.


Advertisement