Most of you are already aware of the recent announcement on Steven Chan’s blog about New JRE requirements that require EBS JAR files to be signed by a Code Signing Certificate. This requirement came in as Oracle is tightening up security around Java. Java is one of the most wildly exploited pieces of software by viruses and malware bots.
First note that code signing certificates are different from the SSL certificates which are used for web URLs. Code signing certificates are used for sign files like Java JAR files, Windows kernel drivers, Windows program installation EXEs and ActiveX files. SSL certificates try to verify and establish a secure connection to a web host, whereas code signing certs help users identify any piece of program. One might be wondering why doesn’t Oracle ship signed JAR files by default? Unfortunately Oracle cannot do that, as any java code related patch will overwrite them, and will require a new set of signed JAR files.
Let’s come back to topic of this blog — what is the best certificate authority to buy the code signing certificate? Technology behind Verisign $500 cert and Comodo $70 certificate is the same. The $500 certificate doesn’t do any extra magic — It might offer you some liability assurance, but the technology is the same.
I looked around and found that certs from StartSSL.com are the cheapest, costing around $59. Unfortunately, we cannot use them for JAR signing, as their root certificate is not yet included in cacerts that are shipped with JRE. StartSSL certs are included in windows 7, but not yet in Java. To use StartSSL certs with java, we need to first manually import them into Java cacerts, which is a manual process that you better avoid. You can find list of all certificate authorities included in Java with below command.
/home/oracle/jre1.7.0_45/bin $ ./keytool -list -keystore ../lib/security/cacerts -v |grep Issuer: Enter keystore password: changeit
I went on with my search again to find out what was the least expensive and best way that is included in Java cacerts. COMODO Code Signing certificates seem to be cheapest available, they can be picked from this reseller store for about $80 a year. Going with a root certificate that is already included in java cacert file will avoid the need to manually import the root certificates in java on server as well as JRE on all client machines.
So COMODO seems to be the winner here! For about $400 per 5 years, you can get a certificate that you can use in all your prod and dev/test environments. I am also working on steps to setup an internal Certificate Authority that you can use to sign the jar files for free, which is useful for Demo/LAB environments where user population is much less. Currently working on resolving below error:
com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
See you in my next blog post! Happy Holidays!