Geek Answers Handbook

Code signing certificates for Java, Adobe AIR, Authenticode, VBS - are they different?

We have a code signing certificate purchased from GlobalSign for signing under Authenticode (as they call it). Now we need to sign the Java applet and soon the Adobe AIR module (applet?). Question: from a technical point of view, is there a difference between a certificate for authentication and a certificate for Java or a certificate for AIR if they are issued by the same CA (for example, Comodo or GlobalSign)? I see no reason to buy different certificates if they are replaceable.

I understand that the key field for using certificates should be the same (code signing), but perhaps the extended use of the code or the policy or other extension is different in these certificates. I would appreciate it if someone who has two or more types of code signing certificates issued by a single CA can verify this for me.

+7
certificate code-signing digital-certificate jar-signing code-signing-certificate
source share
3 answers

It seems that any code signing certificate will work for any platform mentioned. I asked GlobalSign support about the difference - they did not answer, but soon after that they changed their web page and now you will buy one code signing certificate for all platforms.

0
source share

The explicit expression http://www.adobe.com/devnet/air/articles/signing_air_applications.html states the following:

"A developer can use any class-3 certificate with a high degree of confidence provided by any CA to sign an Adobe AIR application."

Unfortunately, I cannot find anything like this for Java. However, regardless of the minimum certificate requirements for different platforms, it is best to contact your existing certificate provider to find out if there are any significant differences between the certificates they offer for these platforms.

Some of the blah blahs on the Verisign website show that the format in which the certificate is delivered to the customer is the only real difference between their offers, but they don’t actually talk about it directly, so who knows ...

+5
source share

From what I am compiling from RFC 5280, key usage extensions can only decide whether a certificate can be used to sign a code or not. In the RFC, there seems to be nothing to limit whether you are signing Java or AIR code or something else. This seems to mean that if you can sign one piece of code (or any other kind of non-key data), you can sign it.

However, there may be CA-specific extensions in your certificate. Without seeing the certificate, it is difficult to say if there are restrictions.

From a technical point of view, as long as the client (i.e. the browser, if we are talking about applets) recognizes the CA and is satisfied with your combination of using the key and certificate type (DIGITAL_SIGNATURE and OBJECT_SIGNING), then you should be fine.

+2
source share

More articles:


All Articles