I bought a COMODO code signing certificate and used it to sign my java webstart application.
Main question: Is that COMODO code signing certificate even supported by java 8?
More info:
On all machines except my own, java blocks the application, saying it uses a self signed certificate.
I don't even understand why it works on my machine. I looked at the list of trusted certification roots in the java control panel (1.8.0_45-b15), but I cannot find the "COMODO RSA Certification Authority" there.
I do see that certificate in the Windows MMC certificate snap-in under "Trusted Root Certification Authorities". But on at least 3 other machines it does not exist.
I finally solved it - here is the story:
When I bought the certificate, I had to collect it by navigating to a website address that I received by email. There, the certificate was automatically installed into the truststore of my browser (Firefox).
I then exported it from Firefox (Options - Advanced - View Certificates - Your Certificates - Backup button).
What I didn't realize at the time was that Firefox, unlike Java and Windows, has the "COMODO RSA Certification Authority" as an inbuilt token:
What I also didn't know at the time was that the Firefox certificate export seems to only include the certificate chain up to the first trusted authority, in this case the "COMODO RSA Certification Authority".
From this COMODO support site I learned that the chain should actually go one higher, all the way up to "AddTrust External CA Root":
That sounded much more promising, because the AddTrust certificate is actually included in Oracle's java 8 cacerts truststore, which is responsible for verifying the jar during java webstart.
The next thing I did was import the *.p12 file I got from Firefox into the windows certificate manager (Start - certmgr.msc), because for some reason I thought this was the way to convert *.p12 to *.pfx (although now I know that both extension are used for the same pkcs12 keystore format). Anyway, during the import this question popped up:
Here I made the critical mistake: I clicked yes. This caused the "COMODO RSA Certification Authority" to be installed in the Windows truststore as a "Trusted Root Certificate" (btw only visible after I restarted certmgr.msc):
My code signing certificate was installed in "Personal/Certificates". I exported it from there (Action - All tasks - Export...), and marked "Include all certificates in the certification path if possible".
Now the exact same thing happened as when I exported from Firefox. Since Windows now had "COMODO RSA Certification Authority" installed as a trusted root certificate, it only included the chain up to this one. This is what I got after the export:
And now for the genius move, which I stumbled upon by pure chance: I deleted the "COMODO RSA Certification Authority" from the Windows certification manager. Now, when I double clicked my code signing certificate, the displayed chain suddenly looked different:
I admit I got a small adrenaline rush when I saw this. I exported again (exact same settings as before).
And indeed, after I signed my application with this exported certificate, java webstart accepts it:
UPDATE: This was a JRE release bug. Comodo's new CA certs were added to the default keystore in Java 8u51.
An answer to another question which while somewhat out of place there seems very on topic here:
You can tell if a CA's certs will work for Java code-signing by
examining the Java cacerts file, which lists all the CAs known to
Java. If their cert is in this file, then Java will not complain about
the signed code. If it isn't, then it will warn the users. For
example:
root@girflet:~# keytool -list -keystore
/usr/lib/jvm/java-6-sun-1.6.0.15/jre/lib/security/cacerts | grep
comodo
Enter keystore password: changeit
comodoaaaca, 02-May-2006, trustedCertEntry,
Note that I had to enter the default keystore password, changeit.
This command should work on Windows as well, although you'll have to
change the path to the cacerts file and you won't have grep. Use more
instead and page through until you find or don't find what you're
looking for.
As of today, Comodo is in the cacerts file, and startssl aren't. So a
startssl cert wouldn't be much good for Java code.
Source: https://stackoverflow.com/a/1906679/154527
I can give you a conditional answer.
On one of the computers that doesn't like your certificate, go to http://jonathancrosmer.com/software/invadeearth/
and click Invade Earth.
This program uses a Comodo certificate. I built it against Java 7, but if your computer has only a Java 8 runtime it should still work.
1. If you get the same warning, you know it is a Java 8 issue.
2. Otherwise, you know something is wrong with your certificate.
Either way, you'll probably want to get a refund from your certificate issuer, since they advertise that their certificate is trusted by Java.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://i.stack.imgur.com/cUPHi.png', '推荐 仙女界的扛把子 的文章《Java webstart says my app uses a self signed certi》','https://www.manongdao.com/article-981566.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}