Code signing certificates for Java, Adobe AIR, Authenticode, VBS - are they different?
https://stackoverflow.com/questions/4078199
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We have a code-signing certificate, purchased from GlobalSign for Authenticode signing (as they call it). Now we need to sign Java applet and soon Adobe AIR module (applet?). The question is: from technical point of view is there any difference between certificate-for-Authenticode and certificate-for-Java or certificate-for-AIR, if they are issued by the same CA (say Comodo or GlobalSign)? I don't see a point in buying different certificates if they are replaceable.
I understand that key usage field of certificates must be the same (code signing), but maybe extended code usage or policy or other extension differs in those certificates. I would appreciate if somebody who has code-signing certificates of two or more types issued by one CA could check this for me.
Solution 3
It seems that any code signing certificate will work for any mentioned platform. I asked GlobalSign support about the difference - they didn't respond, however soon after that they have changed their web page and now you would be buying one code signing certificate for all platforms.
OTHER TIPS
There's an explicit statement at http://www.adobe.com/devnet/air/articles/signing_air_applications.html that:
"A developer can use any class-3, high-assurance certificate provided by any CA to sign an Adobe AIR application."
Unfortunately, I can't find anything similar for Java. However, regardless of the minimum certificate requirements for the various platforms, your best bet might be to contact your existing certificate provider to ask if there are any meaningful differences between the certificates they offer for these platforms.
Some of the blah-blah on the Verisign website suggests that the format in which the certificate is delivered to the purchaser is the only real difference between their offerings, but they don't actually state this directly, so who knows...?
From what I gather from RFC 5280, the key usage extensions can only decide whether the certificate is usable for code signing or not. There doesn't seem to be anything in the RFC that can constrain whether you sign Java code or AIR or whatever. This seems to imply that if you can sign one piece of code (or any other kind of non-key data) you can sign any.
That said, there may be CA-specific extensions in your certificate. Without seeing the certificate it's hard to tell if there are limitations.
From a technical perspective, as long as the client (i.e. the browser if we're talking about applets) recognises the CA and is happy with your combination of key usage and certificate type (DIGITAL_SIGNATURE and OBJECT_SIGNING) then you should be fine.
