Newbie question: Signing a Java applet


M

mikevb

Hi all,

The TL;DR version of below: Where can I buy a certificate suitable for
signing a Java applet? Help!!

The long version:

I have a question regarding signing a Java applet. I've spent a lot of
time researching this, and have only encountered contradictory
information, bad links, and outdated documentation. It's driving me
mad! I hope someone can help...

My situation is this. I need to make slight changes to some Java
applet code (properJavaRDP), and rebuild it ready for deployment. The
original build I have works fine (actually, its performance and
behaviour are very good). However, buildng it locally results in all
sorts of failures when running as an applet, e.g. security exceptions
when trying to set up the clipboard. Obviously, this code is designed
to be run with better privileges than I'm giving it. So, I expect I
need to sign the applet.

This is where I'm having the problem. I can't find a definitive answer
on what kind of certificate I need for that purpose. Sun's docs (or
all I can find of them using Google,
http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/rsa_signing.html
) say:

"RSA certificates may be purchased from a Certificate Authority (CA)
that supports RSA"

However, I can't find a source that says it sells RSA certificates
directly. Some info says that a SSL certificate is OK, some say that
SSL certificates are implemented using RSA and would work, others
again say that SSL and RSA are for different purposes and not
interchangeable... I really can't tell what I should buy. The only
source that says it sells certificates specifically for Java signing
is too expensive:

http://www.verisign.com/code-signin...ficates/sun-java/index.html?sl=productdetails

Can anyone clarify this process? What do I need to buy, and where's
the best place to buy it?

Any help much appreciated!

Mike
 
Ad

Advertisements

A

Andrew Thompson

...
Can anyone clarify this process? What do I need to buy, and where's
the best place to buy it?

I cannot advise you on a certificate that is verified by a CA, but
there is an alternative. It is possible to create a cert using the
JDK tools. Such a certificate is not verified by a CA, and the
warnings before getting the code are slightly more scary, but as long
as the user will trust you, it will still work.
 
M

mikevb

I cannot advise you on a certificate that is verified by a CA, but
there is an alternative.  It is possible to create a cert using the
JDK tools.  Such a certificate is not verified by a CA, and the
warnings before getting the code are slightly more scary, but as long
as the user will trust you, it will still work.

Thanks Andrew - I'll give that a try and see how I go, but I think
we'll need to get a 'real' certificate sometime soon. Hopefully
someone can provide a recommendation.

Thanks,
Mike
 
A

Andrew Thompson

On Feb 15, 12:37 pm, Andrew Thompson <[email protected]> wrote:
re, self-signing.
..I'll give that a try and see how I go,..

If you have an IDE (or otherwise have Ant installed),
you might try playing with one of my webstart API demos.
The FileContents example creates a digital certificate
to sign the code (some forms of which, need to be trusted.

You can get the build/source files from the linked .zip at
http://pscode.org/jws/api.html#fs
..but I think
we'll need to get a 'real' certificate sometime soon. Hopefully
someone can provide a recommendation.

That is probably best. A 'self signed' certificate
really does not provide any protection to the end user.

The last time I heard, Thawte was issuing some
'freemail' certificates (for free). I decided not
to use them because the name on the certificate was
'Freemail User' or WTE. I wanted my name and domain
to be on the certificate (and shown to the user, at
time of prompting them to accept the code).
 
R

Roedy Green

R

Roedy Green

The last time I heard, Thawte was issuing some
'freemail' certificates (for free).

They are for email signing, not code signing.

When you buy a cert, you are paying for the research they do to ensure
whatever facts are burned into the cert are indeed true.
--
Roedy Green Canadian Mind Products
http://mindprod.com

Nothing has really happened until it has been recorded.
~ Virginia Woolf (born: 1882-01-25 died: 1941-03-28 at age: 59)
 
Ad

Advertisements

A

Andrew Thompson

...

They are for email signing, not code signing.

I'm almost certain I encountered one JWS based app. that
had the author/vendor listed at the trust prompt as
"Thawte Freemail User" or WTE.

Unfortunately I cannot provide any more details, except
that AFAI(vaguely)R, it was used by someone who used to
be a regular poster around usenet (I cannot afford to
run trusted code from parties that I neither know nor
trust).
 
M

mikevb

Thanks for everyone's help and ideas. I've bought a Thawte
certificate, so I really hope that works, given the price (US$299).
Roedy, your pages were very helpful; I had encountered them during my
search, but I think I was having other problems at the time (JDK path
was wrong, so I appeared to be missing some tools I needed). Once I
had everything sorted out, it was fairly easy to create certificates,
and also the CSR that Thawte wanted.

They are for email signing, not code signing.
When you buy a cert, you are paying for the research they do to ensure
whatever facts are burned into the cert are indeed true.

I think Andrew's right - I encountered multiple references to this in
my research. I'm not a crypto/certificate/signing expert at all
(clueless in that area really), so I really don't know what's
realistic or not, but several people seemed to suggest it worked.
However, the names on the certificate appeared to be unsuitable for my
use, and also, those certificates are no longer available as of
November 2009. So, no options there really!

Thanks,
Mike
 
R

Roedy Green

I'm almost certain I encountered one JWS based app. that
had the author/vendor listed at the trust prompt as
"Thawte Freemail User" or WTE.

I wonder if they figured out some sort of gene splicing to create the
certificate. Maybe he works for a company with a name similar to
"freemail". If you run across it again, please tell us about it. I'd
be interested in figuring out how he did it.

--
Roedy Green Canadian Mind Products
http://mindprod.com

Nothing has really happened until it has been recorded.
~ Virginia Woolf (born: 1882-01-25 died: 1941-03-28 at age: 59)
 
R

Roedy Green

Once I
had everything sorted out, it was fairly easy to create certificates,
and also the CSR that Thawte wanted.

When I went through the process some years ago, the problem was
totally the lack of documentation. What you actually do is not that
complicated.

I thought it was very peculiar of companies to offer such expensive
products with almost no instructions on what to do to get one or use
it.

I wrote a lot of emails to the various companies prodding them to
improve their on-line docs. Thawte seemed most receptive.

Happily, possibly partly at my urging, the situation has greatly
improved. There is quite a bit to read about certificates, (more than
you wanted to know about penguins) on my site, but if you wade through
it, I think you will have a good shot at buying the right sort of
certificate and get it ordered and installed on the first go.

Get started at http://mindprod.com/jgloss/certificate.html
--
Roedy Green Canadian Mind Products
http://mindprod.com

Nothing has really happened until it has been recorded.
~ Virginia Woolf (born: 1882-01-25 died: 1941-03-28 at age: 59)
 
Ad

Advertisements

A

Andrew Thompson

..I thought it was very peculiar of companies to offer such expensive
products with almost no instructions on what to do to get one or use
it.

++ I found the sites to be tortuous and confusing
the time I was looking into it, which was a fair
while ago.
I wrote a lot of emails to the various companies prodding them to
improve their on-line docs.  ...

Thanks. :)
----------------------------------
On other matters, you might have noted in mikevb's
reply that they have ceased to issue the freemail
certs. :-(

I doubt I will ever see another one, but if I do,
I'll ask the app. author for permission to pass
whatever information onto you, that might help
you resolve your inquiry.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top