Menu
We have a code-signing certificate, purchased from GlobalSign for Authenticode signing (as they call it). Now we need to sign Java applet and soon Adobe AIR module (applet?). The question is: from technical point of view is there any difference between certificate-for-Authenticode and certificate-for-Java or certificate-for-AIR, if they are issued by the same CA (say Comodo or GlobalSign)? I don't see a point in buying different certificates if they are replaceable.
I understand that key usage field of certificates must be the same (code signing), but maybe extended code usage or policy or other extension differs in those certificates. I would appreciate if somebody who has code-signing certificates of two or more types issued by one CA could check this for me.
540
A Java code signing certificate is useful for securing all types of Java software and executables. It gives assurance to users that the identity of the software publisher has been rigorously vetted by a publicly trusted certificate authority (CA).
Code Signing Certificates are used by software developers to digitally sign applications, drivers, executables and software programs as a way for end-users to verify that the code they receive has not been altered or compromised by a third party.
How long can I use a Code Signing certificate for? Code Signing certificates are valid for 1 to 3 years depending on which life cycle you choose when you purchase the certificate. See: pricing information. You should also timestamp your signed code to avoid your code expiring when your certificate expires.
What Happens When Your Code Signing Certificate Expires. When a code signing certificate expires, unless you choose to timestamp your code, it means that any software or applications that have code signed by the certificate are no longer trusted by Microsoft SmartScreen, Google Safe Browsing, and antivirus programs.
There's an explicit statement at http://www.adobe.com/devnet/air/articles/signing_air_applications.html that:
"A developer can use any class-3, high-assurance certificate provided by any CA to sign an Adobe AIR application."
Unfortunately, I can't find anything similar for Java. However, regardless of the minimum certificate requirements for the various platforms, your best bet might be to contact your existing certificate provider to ask if there are any meaningful differences between the certificates they offer for these platforms.
Some of the blah-blah on the Verisign website suggests that the format in which the certificate is delivered to the purchaser is the only real difference between their offerings, but they don't actually state this directly, so who knows...?
170
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
