Best Certificate Authority for Jar file signing in Oracle E-Business Suite

Dec 9, 2013 / By Vasu Balla

Tags: , , , ,

Most of you are already aware of the recent announcement on Steven Chan’s blog  about New JRE requirements that require EBS JAR files to be signed by a Code Signing Certificate. This requirement came in as Oracle is tightening up security around Java. Java is one of the most wildly exploited pieces of software by viruses and malware bots.

First note that code signing certificates are different from the SSL certificates which are used for web URLs.  Code signing certificates are used for sign files like Java JAR files, Windows kernel drivers, Windows program installation EXEs and ActiveX files. SSL certificates try to verify and establish a secure connection to a web host,  whereas code signing certs help users identify any piece of program. One might be wondering why doesn’t Oracle ship signed JAR files by default? Unfortunately Oracle cannot do that, as any java code related patch will overwrite them, and will require a new set of signed JAR files.

Let’s come back to topic of this blog — what is the best certificate authority to buy the code signing certificate? Technology behind Verisign $500 cert and Comodo $70 certificate is the same. The $500 certificate doesn’t do any extra magic — It might offer you some liability assurance, but the technology is the same.

I looked around and found that certs from are the cheapest, costing around $59. Unfortunately, we cannot use them for JAR signing, as their root certificate is not yet included in cacerts that are shipped with JRE. StartSSL certs are included in windows 7, but not yet in Java.  To use StartSSL certs with java, we need to first manually import them into Java cacerts, which is a manual process that you better avoid. You can find list of all certificate authorities included in Java with below command.

$ pwd

$ ./keytool -list -keystore ../lib/security/cacerts -v |grep Issuer:
Enter keystore password: changeit

I went on with my search again to find out what was the least expensive and best way that is included in Java cacerts.  COMODO Code Signing certificates seem to be cheapest available, they can be picked from this reseller store for about $80 a year.  Going with a root certificate that is already included in java cacert file will avoid the need to manually import the root certificates in java on server as well as JRE on all client machines.

So COMODO seems to be the winner here!  For about $400 per 5 years, you can get a certificate that you can use in all your prod and dev/test environments. I am also working on steps to setup an internal Certificate Authority that you can use to sign the jar files for free, which is useful for Demo/LAB environments where user population is much less.  Currently working on resolving below error:$StatusUnknownException: Certificate does not specify OCSP responder

See you in my next blog post! Happy Holidays!

Share this article

5 Responses to “Best Certificate Authority for Jar file signing in Oracle E-Business Suite”

  • Richard says:


    I enjoyed your post, which I stumbled upon while researching the error you mention at the end:$StatusUnknownException: Certificate does not specify OCSP responder

    I have gone through the process in MOS 1591073.1 for getting an In House certificate (we have a certificate server in house) and the steps involved in importing the certificate both to the oracle applications and to the client machine.

    Do you know if there is a step that is being missed in the creatiuon of the in house certificate where the OCSP responder value should be? I did not create the certificate, I am just the dba.

    Any assistance or advice would be greatly appreciated.



  • Lev says:

    It was pain to work 3 days on synology nas filestation, which uses java to get rid of this annoying security warning before I realize that the java simply don’t trust StartSSL certs. Very sad, as I have already bought it fir 2 years.

  • Vishnu Sharma says:

    We have recently installed a Java Code Signing Certificate from Comodo as per Oracle note 1591073.1.
    It seems to work fine most of the time. However, we are still in our testing phase and are concerned we are receiving errors once in a while.

    Users are being prompted to enter login information, presumably for
    If the users press cancel, they seem to be able to proceed within the EBS.
    However, once a user pressed cancel and was denied access to EBS,
    He is receiving an error message stating .”Cannot complete applications logon”.

  • Vasu Balla says:

    Hi Vishnu,

    Java by default validates whether a certificate is valid or revoked by checking the ocsp server mentioned in the certificate. For comodo issues certificates its what i understand from your issue is that Java is trying to validate the cert, but some network config ( proxy or firewall ) is preventing accessing the ocsp url from the desktop. if you have firewall or proxy setup, ask your network admins to enable accessing the ocsp host without any username authentication. The ocsp server info for comodo is mentioned in below url

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>