On 4/30/2010 12:51 PM, Bob Foss wrote: > > Everything, I've read indicates that a JCE Provider's signing cert > must be signed by a cert from Sun (or maybe IBM). > > http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step6
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step61 : > You will receive an email message containing two plain-text file > attachments: one file containing this code-signing certificate and > another file containing its own CA certificate, which authenticates its > public key. Please also allow five business days from receipt of your > request for processing. > > 5. Use keytool to import the certificates received from the CA. > > Once you have received the two certificates from the JCA Code > Signing Certification Authority, you can use keytool to import them > into your keystore. > > First import the CA's certificate as a "trusted certificate": > > keytool -import -alias <alias for the CA cert> \ -file <CA cert file > name> \ -keystore <keystore file name> \ -storepass <keystore > password> > > Then import the code-signing certificate: ... This would seem to imply that you can add your own CA for code-signing purposes. If you think about it, Sun once had developers too who presumably needed to test their code without being given access to the official code signing CA. - Marsh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
