Il 02/04/2014 13:34, [email protected] ha scritto:
Dear Rob,
thanks a lot for your response. I had a look at the example and it seems
it describes the use of a self-signed certificate
No, the examople explains how:
1) Create an own CA using openssl
2) Import the CA certificate (not the private key) inside a keystore.
3) Use java "keytool" to create a cople of keys inside the keystore,
and a CSR (Certification Signing Request) for the public key.
4) Use openssl to sign that CSR with the CA, generating a suitable
codesign cert.
5) Import the generated codesign certificate into the keystore)
The keystore can then be used for signing java code (we use an ant task
for this, as well as openmeetings)
(couldn't figure out
where a third party issues or verifies the certificate used for
signing).
They cannot, if they don't trust your CA. If you want the certificate to
be trusted, you have to have the signing certificate to be signed and
generated by a Certification Authority trusted by your java environment.
If you control the target environment, it's matter of importing the CA
(into the user environment) using the control panel applet or issuing a
"keytool -import" towards the JVM-wide cacerts keystore.
This already works in standard OM(2/3). What I need are
instructions on how to use an existing (trusted and verified class 2
server-)certificate for code signing.
You can't. SSL Server certificate ordinarily cannot be used fore code
signing.
It seems our OM/build.xml setup is
correct (incl. the keystore) as we get the following error message:
"This jar contains entries whose signer certificate's ExtendedKeyUsage
extension doesn't allow code signing."
Exactly. You need an ExtendedKeyUsage of "objsign" for that, It is
normally not included in SSL Server certificates.
See the line:
nsCertType = client, email, objsign
in the openssl.conf inside my howto.
Doing some research, this points to a limitation of the
(server-)certificate, which might not be used for code signing.
Absolutely.
It seems
some server certificates can do the signing and some not. Confusing!!!
Yes. Certification Authorities sell different Certs, whith different
pricing, for that.
rob
