Verisign : Java Glossary


Verisign is a company that issues digital certificates. In is now owned by Symantec usually a death knell. Symantec likes to buy companies then run them into the ground by reducing the quality of the products. It sells several types including web server, Netscape Java application code signing and Internet Explorer Java application code signing. It sometimes takes months to jump through all the hoops to get one. I suggest you start the process early in your development cycle if you will need any certificates. Make sure you keep track of which computer you used to submit the application. It is the only one that will be able to pick up the finished certificate. You will need a DUNS (Dun & Bradstreet Universal Numbering System) number for your company and your business listed in the phone book under the name you use on your certificate.

In the effort to close a security hole, Java Plug-In version 1.2.2 requires an exact match of the JAR signer’s root CA (Certificate Authority) certificate (fingerprint) with one in Internet Explorer’s CA store on the executing platform. Just matching the public key is not sufficient, the validity period, etc. must also match.

Because Verisign issued so many different root certificates with the same public key, but slightly differing otherwise, you may not have the precise root certificate you need pre-installed. Their competitor Thawte did not do this, so Thawte certificates work where Verisign ones sometimes don’t.

I have written Verisign asking them to provide a website where you can upgrade Internet Explorer to include all known variants of the root certificate. In the meantime, all you can do is manually import your Verisign certificate into all your client’s Internet Explorers, making sure to include only the public key part of it, or put in a rush order for a Thawte certificate.

The root certificate mismatch problem comes mainly with new browsers not containing old versions of the Verisign root certificates. Ironically, you can bypass the problem by deleting old versions of the VeriSign Class 3 CA — Commercial Content/Software Publisher root certificates from your Netscape browser before you sign any jars, that way the signing tool will select the most recent root certificate as the base for your signing. New installations of Internet Explorer are more likely to have this new root certificate installed. Best to back up before you do this. It would make perfect sense to Alice.

Verisign makes a variety of code-signing certificates. You can buy

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number