Java 7 Update 51 web start signing jar files

Question

Our organization developed some application on java before 8 years and we have some customers who have installed our product in their environment and providing services.

In java 7 update 51, java has updated their security, so it is asking us to sign the jar files using public certificate.

Customer is not fine with ask every user to reduce the security level or add the site in exception list in control pannel java.

The question here is, do all the customer needs to buy one certificate for them self and sign the jars or as an organization we buy a certificate and the single certificate can be used for all the customers?

Answer 1

If you get a certificate for your organization, you can use it to sign any Java applications that you wish to deploy. A different certificate is not needed for each application or customer.

Answer 2

It's not even necessary to avtually "buy" a certificate. You could create a self-signed certificate using the java keytool and use it to sign your code. Then your customers would have to install that certificate into their java trusted certificate store and everything should be fine.

"Buying" a certificate is only necessary when you need every computer with a standard-trustlist to be able to run your application, but if you're in close contact with your customers - as it seems you are - you should be able to hand them a self-created certificate for installation on their machines.