10/7/2011

thawte SSL Certificates

Choose from a complete range of certificates with the strongest ssl
www.thawte.co m

certificate : Java Glossary

Select Language
Pow ered by

Translate

certificate : Java Glossary

punctuation 0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z (all) You are here : home Java Glossary C words certificate

1996-2011 2008-07-30 Roedy Green, Canadian Mind Products The CurrCon Java Applet displays prices on this web page converted with todays exchange rates into your local international currency, e.g. Euros, US dollars, Canadian dollars, British Pounds, Indian Rupees CurrCon requires Java version 1.5 or later , preferably 1.7.0. If you cant see the prices in your local currency, troubleshoot CurrCon.

certificate How Certificates Work Vendors Selecting a Vendor What Can You Use Certificates For? Private Key Vs Public Key The Root Certificate Matching Problem Netscape 4.79 Jar Signing Java 1.3+ Jar Signings RSA vs DSA Manipulating Certificates Certificate Expiry

Viewing Certificates Installing/updating Root The Formats of Digital Certificate Certificates The Types of Digital Certificate Cracking Security Cost Free Phony Self-Signed Certificates Obscure Certificates

What Certificates Do you Need? Why You Want A Real Certificate Learning More What Is in A Certificate? Links

How Certificates Work

A certificate is just a file, digitally signed by a signing authority. It may be a freestanding file, pure binary or ASCII armoured. Usually it lives inside an encrypted container file called a keystore. Your personal certificates are kept in a file called .keystore, and the publicly distributed root certificates belonging to certificate issuing companies, and other trusted companies are kept in a file called cacerts.. Make sure you back up your .keystore files especially when upgrading your OS or Java. Otherwise you will lose your code signing certificates. The certificate is like a cross between a: digital ID Smart-Card a Notary Publics stamp an electronic ID card issued by a private company who attests you are who you say your are and that certain facts you allege are true. a signet ring used by kings in days of old to seal letters with wax. a cheque-signing machine. a tool to make documents very difficult to forge like the filigrees on currency and bonds. A high tech Buck Rogers secret decoder ring. It contains two parts, a private part only you know and a public part the world knows. You use it to stamp your work proving you authored it and that it has not been tampered with. To verify a signature, you need only a certificate from the root signing authority installed in your certificate repository. These root certificates are typically pre-installed at the factory in browsers. You dont need to

mindprod.com/jgloss/certificate.html

1/11

10/7/2011
install a copy of the signers certificate.

certificate : Java Glossary

The signature consists of a digest of the material signed, an encryption of the digest using the signers private key, the signers name and public key, and the signing authoritys name. You could not trust a signing authoritys public key embedded in the signature. You must get that separately. Certificates are primarily concerned with digital signatures, though they can be used for encryption. Certificates contain your public keys so that other people can encrypt the mail they send you so that if anyone intercepts it, they cannot make any sense of it. You can safely hand out your public keys to others since they do not contain your private keys. Unfortunately, Netscape includes your private key whenever it exports a certificate. You must be very careful not to let others discover it. The certificate-issuing authority at no time is privy to your private key. Your browser generates your random private key when you purchase your certificate, and sends only the public key to the certificate authority. The process of purchasing a certificate may require installing the certificate authoritys public key in your browser, three visits to the certificate authoritys website, and some email. Depending on the cost/class of the certificate, the certificate authority may need a substantial amount of time to check you out before issuing the certificate. You need passphrases for your browser and for each certificate. If you forget a passphrase, you are totally hosed. You will never be able to use the certificate again. Thankfully, some certificates offer a hint (which you compose) in case you forget the passphrase. For a technical overview of how the public and private keys work, see my essay on digital signatures .

The Types of Digital Certificate

There are many different types of certificate. Unfortunately, you need a separate certificate for every application and every browser, (read $$$), e.g. SSL web server, SSL web browser (Netscape, Opera, Internet Explorer), SSL EV (Extended Validation prestige SSL), software publisher jar signing (sometimes called Object-signing) (in three flavours: Microsoft RSA Authenticode, Netscape RSA X.509 and Sun Java Plugin DSA/RSA X.509), Marimba channel signer, signing authority root certificate, SET financial Visa/MasterCard web transactions and secure email (S/MIME X.509 v3 for Netscape, PGP (*.asc) for Eudora). The Verification feature in the Netscape Communicator Security Advisor only determines whether a Digital ID is valid for S/MIME email. Object Signing (i.e. jar signing) certificates are (usually) not also valid S/MIME certificates. It can be alarming to have your new jar signing certificate rejected without an explanation as to why. Netscape has stated this interface will be fixed in a later release of Communicator. Unfortunately, all this innovation and competition leads to a tower of Babel. When you want to send a message to someone else, you both must be using compatible encryption/signing software. PGP is not compatible with S/MIME email for example. It is not always obvious what scheme an incoming message is using. Further, most of the time the certificate file looks like gibberish. You cant tell just by looking at the file with a text viewer, which signing authority created it, who owns it, what program is needed to make sense of it, which browsers/emailers/newsreaders it works with or even whether the file includes a private key. You need to keep track of that externally. Security software is typically not in the least user-friendly. It is designed for nerds. For example, if you feed an X.509 v3 SHA-1 certificate to browser that only supports X.509 MD5, it will complain the file is "invalid or corrupt", instead of telling you what sort that certificate is, and what kind it wants, and where to get one. To complicate matters further, certificates can come an a variety of packagings called wrappers. For example, PKCS #12 wrapping allows key portability. This means, for example, that you can move your certificates (and the corresponding private keys) from one computer to another on floppy disks. Your private key and passphrase are encoded in the *.p12 file. Thawte RSA certificates come with PKCS #7 wrappers. Just when you thought you understood it all, you learn that X.509 certificates come in two formats and to add further complication, they have RSA and DSA variants. PKCS #11 (cryptoki) is used inside flash drives for identification and decryption. Here are some of the common types: Types of Certificate Extension Format Java Includes Internet Plug-In private Netscape Opera Explorer keytool key? 1.3+ Notes

*.asc *.ca *.cer

PGP X.509/DER binary format X.509/DER binary format

Pretty Good Privacy. root certificates. Sun Java version 1.3 or later user certs.

mindprod.com/jgloss/certificate.html

2/11

10/7/2011
X.509/DER BASE64 encoded. Sometimes a chain of certificates. ? X.509/DER binary format

certificate : Java Glossary

*.cer

Sun Java version 1.3 or later user certs.

*.crl *.crt

Certificate Revocation List. Used by cryptext.dll. Thawte root certificates, Sun Java version 1.3 or later cacerts.. Certificate request, contains the public key, signed with the private key. Netscape export of the entire set of keys. Contains multiple certs with private keys. Suns keyring format. Can optionally include private key, authentication chain and friendly name. Sun never imports/exports the private key, though .keystore contains it. user certs. Can optionally include private key, authentication chain and friendly name. Sun never imports/exports the private key, though .keystore contains it. IBMs Keyman will create and manage this format of keyring. IE binary public key export. Can optionally contain multiple certs, e.g. a certificate chain. IBMs Keyman will create and manage this format of keyring. Looks like a signed document without content. Certificate request response. Your signed certificate back from the signing authority ready to import. ASCII format. Used by cryptext.dll. Privacy Encoded Mail format for sending certs embedded in email, typically SSL cert. Base64 ASCII-amoured. Authenticode private key. *.spc is the public key Authenticode public/private key, used for signing XML and PAD files. Authenticode public key. *.pvk is the public key Windows certificate store. Windows certificate trust list. Used my cryptext.dll. user certificates.

*.csr, *.p10

PKCS #10

*.db

proprietary binary?

.keystore, JKS cacerts.

*.p12, *.pfx

PKCS #12

*.p7b *.pk7c

PKCS #7

*.p7r

PKCS #7

*.pem

PEM

*.pfx

MS proprietary

*.pvk

PKCS #12

*.spc *.sst *.stl *.usr

PKCS #7/X.509 ? ? X.509/DER binary format

mindprod.com/jgloss/certificate.html

3/11

10/7/2011

certificate : Java Glossary

The Formats of Digital Certificate

Extensions usually dont matter that much. What matters in the internal format of the file. The file formats are nearly all missing a format signature to make identification easy. It is as though the designers did not want anyone looking at the files and making any assumptions on what they read there. You must externally track what every certificate is for. We need software that can handle multiple schemes depending on the automatically determined preferences of the recipient. However, it is a Good Thing there are so many schemes. Not only does it complicate the code-breakers task, a breakthrough can render an encryption technique void overnight. We need to have viable alternatives waiting in the wings. Some certificates have binary format, others an ASCII printable format, still mostly gibberish. Unfortunately they dont have human readable markers in them to tell you what type they are or what they are for or what they contain. ASCII format are often called armoured. To sign XML you need to convert the pvk/spc pair with pvkimprt.exe

Cost
Certificates vary in cost depending mainly on how much research the certificate authority does to verify you are really you, and how much information is in the certificate that the authority is attesting is true. If you are buying a certificate for an SSL webserver, for example, Thawte are about 1/3 the price of industry leader Verisign. Thawtes developer certificates work for Netscape and Microsoft, Java version 1.1, Java version 1.2, Java version 1.3 or later plugin, and Web Start. Unfortunately, Verisign bought out Thawte in 2000-02, so prices will likely gradually rise. With Verisign you need to buy three separate certificates. Thawte has greatly improved over the last year and issued my certificate within one day after I faxed the necessary documentation. Thawte is in South Africa. Verisign is in the USA. Your secrets are probably better kept by a different government than the one wanting to pry on them. All it would take is a court order to discover your Verisign secrets. Thawte has better documentation. There has been a historical tendency of certificate companies to presume extremely high technical knowledge on the part of their users. It is not quite as bad as you might think since, in theory, the signing authority does not know your private key. Personal certificates are often free, especially ones with a short expiry date. Corporate ones are hundreds of dollars per year. For SSL server certificates, or Developer Object/Applet signing certificates, you want to choose a certificate authority already built into the standard browsers such as Netscape, Internet Explorer and Opera, e.g. Thawte.

What Certificates Do you Need?

A serious Java shop will need to separately purchase three different certificates: 1. S/MIME for email encryption and signing. 2. SSL (Secure Sockets Layer) webserver id certificate for https. 3. RSA X.509 (special Sun Java type) for Java version 1.3 or later plugin jars and Web Start. To deal with legacy customers, they might also want to get: 1. RSA X.509 for Netscape 4.79 fine grain & Netscape 7.1 crude Java version 1.3 or later plugin security. 2. DSA X.509 for Java version 1.1 and Java version 1.2 plugin jars 3. RSA Authenticode for Internet Explorer cabs, for signing VBA (Visual Basic apps) for signing XML files including PAD program descriptions, for signing device drivers, and for signing applications for Vista written in C++.

What Is in A Certificate?
The certificate may contain information such as: email address your name address birthdate gender SIN/SSA number passport number company name DUNS number (Dun & Bradstreet number) your website URL personal public encryption/signing key. Some certificates also contain your personal private key, but these are never distributed. All the ones you download do not contain a private key.

mindprod.com/jgloss/certificate.html

4/11

10/7/2011

certificate : Java Glossary

issue and expiry date A certificate usually has a distinguished name of the form CN=mindprod.com, OU=Secure Application Development, O=Canadian Mind Products, L=Victoria, S=BC, C=CA where CN is the website, OU is subdivision of the comppany, O is the company name, L is the city, S is the province/state and C is the country code. The digital signature of the certificate authority attesting to the information in the certificate.

The information is not in human-readable form. You need a program to decode and display it. You may be required to provide additional information such as Business License, Certificate of Business Registration and Articles of Incorporation which are kept on file at the signing authority, but which are not included in the certificate as vouched for information. None of this information has any effect on how and where you can use your certificate. Some certificates may have a lifetime of only minutes. The signing authority is guaranteeing the information is true. They use their private key to sign the certificate attesting to its authenticity. Infuriatingly, there is almost always two crucial things missing : 1. The URL where you can download the official version of the certificate. 2. The URL of where you can view the certificates human-readable fingerprint to verify it is valid.

What Can You Use Certificates For?

You can then use the certificate to digitally sign email, documents, jar files etc. to prove you were the author, and that they have not been tampered with. You can also use some types of certificate as digital ID. Others can electronically challenge you to prove you know the private key that fits with the public key in the certificate by encrypting a message they provide. The problem with that is, all the information in the certificate is revealed to whoever you show it to. If you want to selectively reveal information, you need several certificates. You might want one with just your birthdate for entry to pornsites, but no other information. You might want one that revealed only a very minimal amount of information when dealing with online vendors to avoid being bombarded with junk electronic and snail mail. Certificates can be used instead of passwords to verify who you are to some site. The site challenges you by sending you a message that you digitally sign and send back. If some spy had snooped on you logging in before, it would not help him to spoof you, the way it would had you used a password. Other types of certificate allow you to encrypt and sign all HTML traffic leaving your web server, thus proving it came from you and providing privacy. Recipients can determine whether data did indeed did come from you by checking the digital signature. To verify, all they need is a master certificate from the signing authority, which comes built into their browser or email software. They dont need to check up your key in an online database unless they want to check to see if the certificate has been revoked. MasterCard and Visa have designed the SET certificate that can be used for secure financial transactions over the web. Verisign supplies the certificates.

Private Key Vs Public Key

There are two kinds of certificates, ones that contain the private key and ones that dont. often user certs contain the private key. Sun style user certs never do. Authority certs never contain the authoritys private key. You want to avoid passing your private keys around, even for phony certs. When you use a phony cert, you want just the public key installed as a signing authority in the various browsers that will use your signed code. The problem is when you export and import keys, it is rarely clear on whether the private key is being included. Internet Explorer is fairly good about keeping you informed and giving you the option to include or exclude the private key. Netscape and Opera keep you in the dark. Sun keytool never imports/exports private keys. I dont even know of a tool that will tell you if a certificate contains a private key. See my student project to rectify this problem. If you are passing a certificate to another machine to sign code with, then your exported/imported certificate must contain the private key, or you wont be able to sign code, just verify it.

Viewing: What Certificates Do You Already Have?

You already have many certificates installed on your computer. Some are part of the OS, some part of Java and some part of each browser. Some are public keys of signing authorities, some are your personal private key certificates. Here is how to have a look at what you already have. Where To Look For Certificates Last revised/verified: 2008-01-23 Logo Browser Where to Look In the Browser Java stores its code signing certificates in a Where to Look on Disk

mindprod.com/jgloss/certificate.html

5/11

10/7/2011

certificate : Java Glossary

WINNT\Profiles\administrator\.keystore file and the verifying authority root certs without private keys in the cacerts. file: cacerts : The Java plug-in stores its code signing certificates in a WINNT\Profiles\ administrator\.keystore file and the in C:\Program Files\java\jre7\lib\security\cacerts in JRE verifying authority root certs without private keys in the 1.7.0 on your local hard disk. J:\Program Files\java\jdk1.7.0\jre\lib\security\cacerts in J:\Program Files\java\jdk1.7.0\jre\lib\security\cacerts file. In Java version 1.3 the plug-in ignores the root in JDK 1.7.0 on your local hard disk. certificates in the Microsoft cryptoAPI certificate in C:\Program Files\java\jre6\lib\security\cacerts in the database (IE browser store). In 1.4 it looks only in older JRE 1.6.0 on your local hard disk. cacerts.. In 1.5 it optionally looks in the browser in certificate database as well as cacerts.. J:\Program Files\java\jdk1.6.0_27\jre\lib\security\cacerts in the older JDK 1.6.0 on your local hard disk. . Use keytool or keyman to view them. Opera Click tools preferences advanced security manage Opera stores its certificates in opacert.dat and certificates. opcert.dat. Firefox stores its certificates in C:\Documents and Settings\ administrator\Application Data\mozilla\firefox\Profiles\ username\. When importing, make sure you import Java code-signing certs as website type.

Java

Firefox

click Tools Options Advanced Manage Certificates

Sea Alternatively, click Edit Preferences Privacy & Security Monkey Certificates Manage Certificates import . I have not been able figure out where Internet Explorer hides its certificates, possibly somewhere in the registry. It exports them to *.pfx or *.p12 files. When you export from IE, you have the option of including the private key. I have not been able figure out where Internet Explorer hides its certificates, possibly somewhere in the registry. It exports them to *.pfx or *.p12 files. When you export from IE, you have the option of including the private key.

IE 7

Click tools Internet Options Content Certificates.

IE 6

Click tools Internet Options Content Certificates.

Safari

click start Control Panel network Internet Options Content Trusted Root Certificate Authorities. Click start Control Panel Internet Options Content I have not been able figure out where Windows hides Certificates. its certificates, possibly somewhere in the registry.

Windows

Cracking Security
There are plenty of indirect ways to crack the security provided by digital certificates: Wait for the user to make an error, such as accidentally publish his private key. The procedures to use security measures are still quite complicated and easily screwed up. Put up a spoofing display that simply asks the user for passphrases. A dutiful user will mindlessly provide them. The security systems in Windows9x and NT are made of swiss cheese. Crack them and replace crucial bits of code in browsers or signing tools.

Obscure Certificates
There is a third kind of certificate, legitimate like one from Thawte or Verisign, but with most of the hassle of a phony one. What if you bought your certificate from an small signing authority company that almost no one had heard of, or used a free one, its root certificate would not be built-in to Netscape or Internet Explorer. You would have to manually import either the signing authority root certificate or your certificate into every clients machine before your signed Applet would be recognised. This would be a major hassle if you are dealing with the general public. This problem even happens sometimes with mainstream companies. For example Thawte sold codesigning certificates in 2004-04, but the root certificate to verify them was not present in JDK 1.5 beta, or any of the browsers. It had to be manually installed, making using the certificate as clumsy as a phony selfsigned certificate. Download the root certificate and install it in all the cacerts. files on machines that use you application.

The Root Certificate Matching Problem Why Verisign Jar-Signing Certificates Were All But Useless.
mindprod.com/jgloss/certificate.html 6/11

10/7/2011

certificate : Java Glossary

Verisign jar-signing certificates are all but useless because of a bug in Netscape 4.79. This problem is resolved simply because all the offending certificates have all expired. Verisign made an minor mistake that is causing severe troubles. They issued several public root jar-signing certificates with the same public key, but different expiry dates. These have been pre-installed in the major browsers. Unfortunately Netscape is not too bright about how to find the matching root signing authority certificate for a jar. It just takes the first match on public key. This can cause it to pick the wrong root certificate and refuse to accept the jar. You can encourage it to find the correct one by removing the other Verisign root jar-signing certificates. However, if you do that, it wont be able to verify jars signed by other vendors. I suppose you could remove all but the most recent root Verisign jar-signing certificate and trust all vendors will soon upgrade their certificates. Other solutions: use Thawte certificates which dont have the problem, or wait for Netscape to use improved matching logic.

How Netscape 4.79 Jar Signing Works Under the Hood

Jars may optionally be signed. For Netscape-style signing you will see two extra files: 1. zigbert.rsa which contains your public jar-signing key and a stripped down version of your jarsigning certificate. It contains your public key, your company name, your certificate expiry date, your signing authoritys public key, your signing authoritys name, and your signing authoritys expiry date. Your private key is not present. Your certificate is digitally signed with the signing authoritys private key. By that I mean the checksum of your certificate is encrypted with the signing authoritys private key. It can be decrypted with the signing authoritys public key to verify the signature. The browsers public key is pre-installed in the browser for verification. 2. zigbert.sf which looks much like a manifest file. It contains the digital signatures of each member of the jar file. These are encrypted with your certificates private key. They can be decrypted for verification with your certificates public key. Netscape computes them a slightly different way from Sun. How then does Netscape verify that a signed jar was indeed signed by you, unmolested since the signing, and vouched for by a trusted signing authority? I am not sure of the precise details and ordering, but roughly it works like this: 1. Netscape looks up the public key of the signing authority (from zigbert.rsa) in its list of valid authorities. If it cant find a matching authority root certificate, it rejects your jar. 2. Netscape checks that the names in your root certificate and expiry date precisely match those it has on file. 3. Netscape computes the checksum of your certificate (from zigbert.rsa), and compares it with the one decrypted with the signing authority public key. If they match, your certificate in the zigbert.rsa file is valid, if they dont, somebody has forged your certificate. 4. Netscape checks that the expiry dates of both your certificate and the backing root certificate are have not lapsed. 5. Netscape, in theory, could optionally go to the signing authoritys website and check that both the root certificate and your certificate have not been revoked. I dont think it does this routinely. If it did, it could challenge the website to prove its identity by asking it to encrypt some random string with the root authoritys private key. If it decrypts properly with the root authoritys public key, Netscape knows it is talking to the authentic website, not some spoof site. 6. Netscape recomputes the checksums in the zigbert.sf file. It then decrypts the checksums provided in zigbert.sf using your certificates public key from the zigbert.rsa file. If they match, all is ok. If they dont somebody has been tampering with the jar file.

How Java version 1.3 or later Jar Signing Works

I have done only a little experimenting with Suns Jar signing scheme that uses a policy file. The scheme strikes me as impractical since most end users will be incapable of maintaining policy files. It really only makes sense in a corporate environment with a system administrator who manages all policy files. For fine-grained privileges (bypassing the RSA ALL/NOTHING default), the end user must include: permission java.lang.RuntimePermission "usePolicy" in their local policy file. There is no way with Java 1.4.1 security policy for you as the author of signed code to ask the user for specific privileges with your signed code. However, once the usePolicy is in place, applications may use the javax.security.auth.Subject.doAs() or javax.security.auth. Subject. doAsPrivileged() methods to request fine-grain privileges. It sounds hideously complicated involving, authenticated Subjects, Principals, AccessControllers, PermissionCollections and Permissions.

mindprod.com/jgloss/certificate.html

7/11

10/7/2011

certificate : Java Glossary

Make sure you dont inadvertently give the privilege of rewriting the policy file to a suspect program. Fine grain policies where you ask the use for permission are pointless because the user does not understand the questions. Further the many questions just irritate him. (As I discovered with the old Netscape fine grain permissions.) I have little to say about it other than my documentation on how to use keytool. I asked in a newsgroup for an explanation of what AccessControllers were for. Hold your breath, here was the response. The Java AccessController uses the set of ProtectionDomains on the call stack to implement permissions based on code bases (e.g., classes loaded from my local machine can read and write local files, but Applets loaded from the network cant). When you check for a permission, the AccessController examines each ProtectionDomain on the call stack in the AccessController, ensuring that the associated PermissionCollection for each such ProtectionDomain implies the requested permission. In other words that the methods caller, or the caller of that method etc. have permission to do the naughty deed. You can attach a DomainCombiner to an AccessControlContext that you create (if you have permission to create an AccessControlContext), and then your DomainCombiner gets the opportunity (or responsibility) to touch/modify the set of ProtectionDomains before they are checked for the given permission. JAAS authorization is implemented this way, by attaching a javax.security.auth.SubjectDomainCombiner to the AccessControlContext created in javax.security.auth.Subject.doAs(); this SubjectDomainCombiner uses the JAAS policy object to add the subjects permissions into the permission set of each of the ProtectionDomains on the call stack. Maybe you didnt really need a signed Applet after all

RSA vs DSA
In the beginning, there were RSA signed Applets using a proprietary Netscape jar-signing scheme. Then with JDK 1.2, they were replaced by Sun-style DSA-signed Applets. Then with Java version 1.3, they were augmented by RSA-signed Applets. Thawte now sells only RSA-style Java version 1.3 or later certificates. If you create a self-signed certificate, and choose DSA, it will work on JDK 1.2+. If you create self-signed RSA certificate will work only on Java version 1.3 or later. Pretty much all certificates are RSA now. Whether you choose DSA or RSA, the SHA-1 digests in the MANIFEST.MF manifest will be the same either way, as will the digests in the *.SF file. For reasons unknown, the SHA-1 digests in MANIFEST.MF dont match those in the *.SF file. The only thing that literally gets digitally signed (manifest encrypted with the private key) is the digest of the entire *.SF digests file. If you choose DSA, then your public key certificate will appear in a *.DSA member of the jar. If you choose RSA, then your public key certificate will appear in a *.RSA member of the jar.

Manipulating Certificates
You can manipulate certificates directly with Java. Here is an example of how you would extract the public key from a PKCS12 certificate.
KeyStore ks = KeyStore.getInstance ( "PKCS12" ); // for security, KeyStore wants certificate password as char[] char[] password = "Sesame".toCharArray(); ks.load( new FileInputStream( "yourcert.p12" ), password ); Certificate c = ks.getCertificate( "thecert" ); PublicKey p = c.getPublicKey();

To do the equivalent with the .keystore file use .getInstance ( "JKS" ) instead of .getInstance ( "PKCS12" ).

Certificate Expiry
According to Thawte, you can buy a code-signing certificate from them, valid for one or two years. You can sign code for one or two years, then the certificate stops working. However the code you sign stays valid up to ten years. You get to choose how long you want it to remain valid when you do the signing. However, since jarsigner.exe has no -expiry option, I dont know just how you would specify that.

Learning More
See IBM Redbook Java 2 Network Security for notes on how to create your own certificates (you as

mindprod.com/jgloss/certificate.html

8/11

10/7/2011
issuing authority), for Netscape, IE, and Java 2.

certificate : Java Glossary

Oracles Javadoc on HttpsURLConnection.getServerCertificates : Gets you are array of Certificates starting with the certificate for the host followed by the chain of authorities. HttpsURLConnection is as subclass of HttpURLConnection that URL.openConnection returns. : available: on the web at Oracle.com in the current JDK 1.7.0 or in the old JDK 1.6.0_27 on your local Windows J: drive. Oracles Technote Guide on Certificates : available: on the web at Oracle.com in the current JDK 1.7.0 on your local Windows J: drive.

There are some noticeable gaps in Suns security classes. You cant produce an X.509 certificate for example. The BouncyCastle classes often come to the rescue. recommend bookDigital Certificates: Applied Internet Security paperback ISBN13: 978-0-201-30980-5 publisher: Addison-Wesley published: 1998-10-09 by: Jalal Feghhi, Jalil Feghhi, Peter Williams The main thing wrong with this book is its age. It is a surprisingly easy to follow book. The JCE itself is daunting, but this book tames it with lots of code examples and an informal style. Consider this book an introduction to the JCE, not the final authority on high security. The end of the book degenerates into a bit of sales pitch for the authors employer, Verisign, showing you the Verisign way of doing business. The book, is inconsistent in its intended audience. For example, the S/MIME section seems aimed at the JCE for dummies crowd. Yet near the end of the book, the authors throw an alphabet soup of undefined terminology at you as if you were a roomful of Versign techies. abebooks anz abebooks.de amazon.de iberlibro.com amazon.es abebooks.fr amazon.fr abebooks.it amazon.it oreilly safari Applet Appletviewer ASN.1 BER blowfish BouncyCastle cacert.org: free certs in a web of trust cacerts. capabilities certificate vendors cryptography DER digital signatures Digitally Signing XML DSA DUNS number El Cheapo Certificate Authority Student Project email encryption fingerprint IE: Internet Explorer abebooks.co.uk amazon.co.uk abebooks.ca amazon.ca Chapters Indigo abebooks.com amazon.com Barnes&Noble powells.com sony e-books

mindprod.com/jgloss/certificate.html

9/11

10/7/2011

certificate : Java Glossary

Install the Canadian Mind Products DSA code Signing Certificate installing certificates Installing/updating Root Certificates JaBaCats: lets you generate SSL certificates jar jarsigner.exe Java Plug-In JavaCA: lets you be an X.509 certificate authority javakey JCE JSSE keyman keystore KeyTool IUI: third party GUI version of keytool keytool.exe List of certificate authorities that Google Checkout supports MD5 Netscape OCSP PER Personal Bookshelf (Securing Java) PGP PKCS policy file policytool pvkimprt.exe: Authenticode certificate conversion RSA sandbox Security self-signed certificates SET SHA-1 signcode signed Applets signtool SSL student projects(Certificate viewer) Thawte timestamp Verisign viewing/editing certificates in Vista X-ca certificate management X.509 v3 You can get the freshest copy of this or possibly from your local J: drive (Java virtual drive/mindprod.com website mirror) page from: http://mindprod.com/jgloss/certificate.html J:\mindprod\jgloss\certificate.html Please email your feedback for publication, letters to the editor, errors, omissions, typos, formatting errors, ambiguities, unclear wording, broken/redirected link reports, suggestions to improve this page or comments to Roedy Green : considered for posting, please explicitly specify that. Canadian Mind Products view Blog mindprod.com IP:[65.110.21.43] Your face IP:[122.248.161.91] If you want your message kept confidential, not

mindprod.com/jgloss/certificate.html

10/11

10/7/2011
Feedback You are visitor number 187,676.

certificate : Java Glossary

The information on this page is for non-military use only. Military use includes use by defence contractors.

mindprod.com/jgloss/certificate.html

11/11