Code singing jar files by 3rd party.

Sebzy

Been asked to issue a code signing certificate for *.example.ie to one of our 3rd party java developers that occasionally develops applets for us here.

Now from me coming from issuing certs for servers this seems strange. Are code signing certs typically wildcards ? Are there any security implications for assigning such a cert for my company? Anything I should know?

Oh yea as we're under contract with the 3rd party we trust them.

bpmurray

I don't think they even need to specify the class names - you typically sign an entire jar file. Normally you have to ues a keystore, but it's reasonably flexible. Have a look at Digicert's explanation and at using a p12 file.

CreepingDeath

Sebzy wrote: »

Are code signing certs typically wildcards ?

No.

An SSL cert for HTTPS is typically to identify the server (host) and serve as an encryption key.

A code signing certificate identifies that that Jar file came from a specific person/company unmodified.

So the code signing cert is typically not server/host specific.
The cert will typically be in your companies name so that when the applet executes it asks "Do you wish to trust <Acme Company>?".

If you purchase a code signing cert from a certificate authority you're okay.
But if you create your own self signed certificate, then you may have to tell each of the users who run the applet to import your certificate into their Java keystore.

Warning: Java applets are old technology and browsers are becoming more aggressive in blocking them. So I certainly wouldn't be creating new Java applets if at all possible.