收录日期:2020/10/23 09:57:30 时间:2014-05-02 11:52:33 标签:java,windows,security,certificate,pki

Most CAs are selling code signing certificates in different "products", like Verisign or Certum:

  • Microsoft Authenticode - "Allows you to sign EXE, OCX, DLL, bla..."

  • Java CodeSign - "Allows you to sign Java code"

  • Software Publisher Certificate - "Allows you to sign software"

Well, I am REALLY confused about this. What is the difference between all these products - except the PRICE? I asked Verisign and other CAs a few times since I am curious, but got no answer.

I got a Authenticode certificate from Certum CA. I enrolled it in Internet Explorer, exported it as PKCS#12 PFX and could sign EXE, DLL, ... as promised.

Now... I tried to import this PFX into Java with keytool, then I tried to sign a JAR. And it worked!

And then there is the mysterious "Software Publisher certificate" as product. I don't know what I can/should sign with that... Mac? Linux? Isn't "Microsoft Authenticode" a Software publisher certificate too? Isn't a EXE "software"? That really confuses me.

So, my question is now: When I have ordered a Microsoft Authenticode cert, is it then illegal to use it to sign e.g. JAR files or if possible any other content? There seems to be no technical difference between these certificates. All of those products should have the same codesigning EKU-OID "1.3.6.1.5.5.7.3.3", which does not make any differences between EXE, JAR, Adobe Air and what the hell also exists around there. So, if all "CodeSigning" certificates are technically equal, why do I have to decide then if I want to be a "Java Developer" or "Windows Developer" or "Software Developer"?

Maybe there are still differences in the certificate? Maybe I get not enough rights in JARs when I use Authenticode-certs for signing?

(PS: I do not use my software commercially!)

There is no technical difference as you guessed. With the proper tool chain a certificate for signing Java applications can be used to sign Windows executables.

See for example Jsign, a tool for signing Windows executables using a Java keystore or a standard PKCS#12 keystore.

I wrote a short article about converting a java certificate and using it for Authenticode. You can find it here: http://blog.botha.us/sarel/?p=21

We have been doing this for years without any negative consequence.