Alicia da Conceicao wrote:
>
> Greetings:
>
> I am currently developing a number of Java applets for Netscape which
> require special permissions to do things like write files, which violate
> Netscape's Java security model. To that end, I need to create signed
> jar files, using a developer certificate.
>
> Unfortunately, I do not know what the difference is, between a user
> certificate, and a Netscape developer certificate, since I don't know
> how to extract developer certificates from signed jar files. Does
> anyone have a Netscape developer certificate I can look at? I would
> like to run "x509 -text" on it to see what x509 fields are being used.
>
> In addition, can I use any open source product, like openssl, to sign
> Java jar files for use in a Netscape browser? If no open source
> product is available for jar signing, are there any non-open-source
> products that I can use for NetBSD (most perfered), FreeBSD, OpenBSD,
> or Linux, all on ix86 hardware?
>
> Although I am quite adept at creating and using user and server
> certificates, I have no experience at creating and using Netscape
> developer certificates. I would greatly appreciate any help on this
> matter.
>
> Once I have mastered developer certs, issued from my own private CA,
> I then plan to buy commerical Netscape developer certs (likely from
> Thawte), to sign my java for mass distribution.
>
> Thanks in advance. Sincerely, Alicia.
>
I have done this myself and its not particularly difficult.
There is some info in my PKCS#12 FAQ about creating NS JAR signing
certificates. Basically they just have the 'object signing' bit set in
the end user certificate.
In the current release OpenSSL and the older SSLeay this can be done
with a line:
nsCertType = 0x10
(or 0xb0 if you want S/MIME and SSL client authentication as well) in
the config file (ssleay.cnf or openssl.cnf for OpenSSL).
The latest CVS snapshot OpenSSL is less cryptic:
nsCertType = objsign
or
nsCertType = objsign, client, email
will do. When you then use 'ca' to sign a request the new values will be
added to the certificate and it should be usable for object signing.
Netscape does have its own signtool which runs on a variety of
platforms, I've tried it under Win32 and Linux. Its not open source due
to US export laws. It is free to use and can be downloaded from NS site.
Steve.
--
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED]
NOTE NEW (13/12/98) PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
