Java webstart says my app uses a self signed certificate, but I used a COMODO code signing certificate

Question

I bought a COMODO code signing certificate and used it to sign my java webstart application.

Main question: Is that COMODO code signing certificate even supported by java 8?

More info:

On all machines except my own, java blocks the application, saying it uses a self signed certificate.

I don't even understand why it works on my machine. I looked at the list of trusted certification roots in the java control panel (1.8.0_45-b15), but I cannot find the "COMODO RSA Certification Authority" there.

I do see that certificate in the Windows MMC certificate snap-in under "Trusted Root Certification Authorities". But on at least 3 other machines it does not exist.

Answer 1

I finally solved it - here is the story:

When I bought the certificate, I had to collect it by navigating to a website address that I received by email. There, the certificate was automatically installed into the truststore of my browser (Firefox).

I then exported it from Firefox (Options - Advanced - View Certificates - Your Certificates - Backup button).

What I didn't realize at the time was that Firefox, unlike Java and Windows, has the "COMODO RSA Certification Authority" as an inbuilt token:

What I also didn't know at the time was that the Firefox certificate export seems to only include the certificate chain up to the first trusted authority, in this case the "COMODO RSA Certification Authority".

From this COMODO support site I learned that the chain should actually go one higher, all the way up to "AddTrust External CA Root":

That sounded much more promising, because the AddTrust certificate is actually included in Oracle's java 8 cacerts truststore, which is responsible for verifying the jar during java webstart.

The next thing I did was import the *.p12 file I got from Firefox into the windows certificate manager (Start - certmgr.msc), because for some reason I thought this was the way to convert *.p12 to *.pfx (although now I know that both extension are used for the same pkcs12 keystore format). Anyway, during the import this question popped up:

Here I made the critical mistake: I clicked yes. This caused the "COMODO RSA Certification Authority" to be installed in the Windows truststore as a "Trusted Root Certificate" (btw only visible after I restarted certmgr.msc):

My code signing certificate was installed in "Personal/Certificates". I exported it from there (Action - All tasks - Export...), and marked "Include all certificates in the certification path if possible".

Now the exact same thing happened as when I exported from Firefox. Since Windows now had "COMODO RSA Certification Authority" installed as a trusted root certificate, it only included the chain up to this one. This is what I got after the export:

And now for the genius move, which I stumbled upon by pure chance: I deleted the "COMODO RSA Certification Authority" from the Windows certification manager. Now, when I double clicked my code signing certificate, the displayed chain suddenly looked different:

I admit I got a small adrenaline rush when I saw this. I exported again (exact same settings as before).

And indeed, after I signed my application with this exported certificate, java webstart accepts it:

Answer 2

UPDATE: This was a JRE release bug. Comodo's new CA certs were added to the default keystore in Java 8u51.

An answer to another question which while somewhat out of place there seems very on topic here:

You can tell if a CA's certs will work for Java code-signing by examining the Java cacerts file, which lists all the CAs known to Java. If their cert is in this file, then Java will not complain about the signed code. If it isn't, then it will warn the users. For example:

root@girflet:~# keytool -list -keystore /usr/lib/jvm/java-6-sun-1.6.0.15/jre/lib/security/cacerts | grep comodo

Enter keystore password: changeit

comodoaaaca, 02-May-2006, trustedCertEntry,

Note that I had to enter the default keystore password, changeit. This command should work on Windows as well, although you'll have to change the path to the cacerts file and you won't have grep. Use more instead and page through until you find or don't find what you're looking for.

As of today, Comodo is in the cacerts file, and startssl aren't. So a startssl cert wouldn't be much good for Java code.

Source: https://stackoverflow.com/a/1906679/154527

Answer 3

I can give you a conditional answer. On one of the computers that doesn't like your certificate, go to http://jonathancrosmer.com/software/invadeearth/ and click Invade Earth.
This program uses a Comodo certificate. I built it against Java 7, but if your computer has only a Java 8 runtime it should still work. 1. If you get the same warning, you know it is a Java 8 issue. 2. Otherwise, you know something is wrong with your certificate. Either way, you'll probably want to get a refund from your certificate issuer, since they advertise that their certificate is trusted by Java.