Best Certificate Authority for Jar file signing in Oracle E-Business Suite

Dec 9, 2013 / By Vasu Balla

Tags: , , ,

Most of you are already aware of the recent announcement on Steven Chan’s blog  about New JRE requirements that require EBS JAR files to be signed by a Code Signing Certificate. This requirement came in as Oracle is tightening up security around Java. Java is one of the most wildly exploited pieces of software by viruses and malware bots.

First note that code signing certificates are different from the SSL certificates which are used for web URLs.  Code signing certificates are used for sign files like Java JAR files, Windows kernel drivers, Windows program installation EXEs and ActiveX files. SSL certificates try to verify and establish a secure connection to a web host,  whereas code signing certs help users identify any piece of program. One might be wondering why doesn’t Oracle ship signed JAR files by default? Unfortunately Oracle cannot do that, as any java code related patch will overwrite them, and will require a new set of signed JAR files.

Let’s come back to topic of this blog — what is the best certificate authority to buy the code signing certificate? Technology behind Verisign $500 cert and Comodo $70 certificate is the same. The $500 certificate doesn’t do any extra magic — It might offer you some liability assurance, but the technology is the same.

I looked around and found that certs from StartSSL.com are the cheapest, costing around $59. Unfortunately, we cannot use them for JAR signing, as their root certificate is not yet included in cacerts that are shipped with JRE. StartSSL certs are included in windows 7, but not yet in Java.  To use StartSSL certs with java, we need to first manually import them into Java cacerts, which is a manual process that you better avoid. You can find list of all certificate authorities included in Java with below command.

$ pwd

/home/oracle/jre1.7.0_45/bin
$ ./keytool -list -keystore ../lib/security/cacerts -v |grep Issuer:
Enter keystore password: changeit

I went on with my search again to find out what was the least expensive and best way that is included in Java cacerts.  COMODO Code Signing certificates seem to be cheapest available, they can be picked from this reseller store for about $80 a year.  Going with a root certificate that is already included in java cacert file will avoid the need to manually import the root certificates in java on server as well as JRE on all client machines.

So COMODO seems to be the winner here!  For about $400 per 5 years, you can get a certificate that you can use in all your prod and dev/test environments. I am also working on steps to setup an internal Certificate Authority that you can use to sign the jar files for free, which is useful for Demo/LAB environments where user population is much less.  Currently working on resolving below error:

com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder

See you in my next blog post! Happy Holidays!

3 Responses to “Best Certificate Authority for Jar file signing in Oracle E-Business Suite”

  • Richard says:

    Vasu,

    I enjoyed your post, which I stumbled upon while researching the error you mention at the end:

    com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder

    I have gone through the process in MOS 1591073.1 for getting an In House certificate (we have a certificate server in house) and the steps involved in importing the certificate both to the oracle applications and to the client machine.

    Do you know if there is a step that is being missed in the creatiuon of the in house certificate where the OCSP responder value should be? I did not create the certificate, I am just the dba.

    Any assistance or advice would be greatly appreciated.

    Thanks!

    Richard

  • Lev says:

    It was pain to work 3 days on synology nas filestation, which uses java to get rid of this annoying security warning before I realize that the java simply don’t trust StartSSL certs. Very sad, as I have already bought it fir 2 years.

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>