Most certificate authorities sell code signing certificates in various “products,” such as Verisign or Certum:
Microsoft Authenticode - "Allows you to sign EXE, OCX, DLL, bla ..."
Java CodeSign - "Allows you to sign Java code"
Software Publisher Certificate - "Allows you to sign software"
Well, I REALLY got confused about this. What is the difference between all these products - except PRICE? I have requested Verisign and other certification authorities several times since I was curious but did not receive a response.
I received an Authenticode certificate from Certum CA. I registered it with Internet Explorer, exported it as PKCS # 12 PFX, and I could sign EXE, DLL, ... as promised.
Now ... I tried to import this PFX into Java using keytool, then I tried to sign the JAR. And it worked!
And then there is the mysterious "software publisher certificate" as a product. I don’t know what I can / should sign with this ... Mac? Linux? Is Microsoft Authenticode also a software publisher certificate? Isn't it exe software? It really bothers me.
So, now my question is: when I ordered a Microsoft Authenticode certificate, it is illegal to use it for signing, for example. JAR files or, if possible, any other content? It seems that there are no technical differences between these certificates. All of these products must have the same codes as the EKU-OID "1.3.6.1.5.5.7.3.3", which does not distinguish between EXE, JAR, Adobe Air and what the hell exists there. So, if all the "CodeSigning" certificates are technically equal, why should I decide if I want to be a "Java developer" or a "Windows Developer" or a "Software Developer"?
Perhaps there are still differences in the certificate? Maybe I get insufficient rights in the JAR when I use Authenticode-certs for signing?
(PS: I do not use my software commercially!)
java security windows certificate pki
Daniel Marschall
source share