Differences between SSL and Code-Signing Certificates

Hello,

I unsuccessfully tried to use a SSL - certificate for signing an applet (converting from X.509 to PKCS12 prior to signing) and learned, that SSL certificates and code-signing certificates are different things (after seeking the web for ours). Can somebody point out some source of information about this topic ? What are these differences ? Can I convert my SSL certificate into a code-signing certificate ?

Things got even more confusing for me, since my first attempt with an wrongly converted SSL cetificate (I used my public and private key for conversion only, omitting the complete chain) at least worked partly: the certificate was accepted, but marked as coming from some untrustworthy organisation. After making a correct conversion (with the complete chain) the java plugin rejected the certificate completely ...

Ulf

[859 byte] By [UPietruschkaa] at [2007-10-1 17:44:56]

«« Advanced dynamic database search engine
»» strongly typed collection w genertics

# 1

http://java.sun.com/j2se/1.5.0/docs/guide/security/cert3.html#insideAccording to this site an X509 V1 certificate can be used and generated with keytool.This certificate can then be used to sign a jar with jarsigner (on windows and solaris).

harmmeijera at 2007-7-11 12:11:28 >

top of Java-index,Security,Signed Applets...

# 2

OK, so when I understand this correctly, the X.590v3 extension KeyUsage is only meant for limiting the usage of the certificate to SSL, code-signing, etc. In other words, this extension has been introduced by the certificate vendors to charge you twice, if you need a certificate for multiple purposes, right ?

Ulf

UPietruschkaa at 2007-7-11 12:11:28 >

# 3

yep, looks like it.

keytool can be used with v3 x509 stores:

Using keytool, it is possible to display, import, and export X.509 v1, v2, and v3 certificates stored as files, and to generate new self-signed v1 certificates. For examples, see the "EXAMPLES" section of the keytool documentation ( for Solaris ) ( for Windows ).

jarsigner needs a keystore so I would assume public and private key pair.

you could list the keys from your store:

C:\temp>keytool -list -keystore serverkeys.key

Enter keystore password: storepass

Keystore type: jks

Keystore provider: SUN

Your keystore contains 2 entries

client, Jul 5, 2005, trustedCertEntry,

Certificate fingerprint (MD5): 13:50:77:64:94:36:2E:18:00:4B:90:65:D0:26:22:C8

server, Jul 5, 2005, keyEntry,

Certificate fingerprint (MD5): 20:90:49:6F:46:BA:AB:11:75:39:9F:6F:29:1F:AB:58

The server is the private key, this can be used with jarsigner (alias option).

C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass

-signedjar sTest.jar test.jar client

jarsigner: Certificate chain not found for: client. client must reference a val

id KeyStore key entry containing a private key and corresponding public key cert

ificate chain.

C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass

-signedjar sTest.jar test.jar server

harmmeijera at 2007-7-11 12:11:28 >

# 4

OK, so there does not seem to be a way to circumvent this, i.e., manipulating an existing certificate (removing or changing the KeyUsage extension) is probably not possible without the issuers (CA) private key, right ?Ulf

UPietruschkaa at 2007-7-11 12:11:28 >

# 5

Not that I know of.

harmmeijera at 2007-7-11 12:11:28 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Differences between SSL and Code-Signing Certificates

Security New Topic

Security Hot Topic

Security

All Classified