In the effort to close a security hole, Java Plug-In version 1.2.2 requires an exact match of the JAR signer’s root CA certificate (fingerprint) with one in Internet Explorer’s CA store on the executing platform. Just matching the public key is not sufficient, the validity period, etc. must also match.

Because Verisign issued so many different root certificates with the same public key, but slightly differing otherwise, you may not have the precise root certificate you need pre-installed. Their competitor Thawte did not do this, so Thawte certificates work where Verisign ones sometimes don’t.

I have written Verisign asking them to provide a website where you can upgrade Internet Explorer to include all known variants of the root certificate. In the meantime, all you can do is manually import your Verisign certificate into all your client’s Internet Explorers, making sure to include only the public key part of it, or put in a rush order for a Thawte certificate.

The root certificate mismatch problem comes mainly with new browsers not containing old versions of the Verisign root certificates. Ironically, you can bypass the problem by deleting old versions of the VeriSign Class 3 CA - Commercial Content/Software Publisher root certificates from your Netscape browser before you sign any jars, that way the signing tool will select the most recent root certificate as the base for your signing. New installations of Internet Explorer are more likely to have this new root certificate installed. Best to back up before you do this. It would make perfect sense to Alice.

Verisign makes a variety of code-signing certificates. You can buy

• Authenticode
• Sun Java
• Microsoft Office and VBA
• Netscape
• Macromedia Shockwave
• Marimba Castanet Channel