On 2010/04/30 11:11 PDT, Marsh Ray wrote: > On 4/30/2010 12:51 PM, Bob Foss wrote: >> >> Everything, I've read indicates that a JCE Provider's signing cert >> must be signed by a cert from Sun (or maybe IBM). >> >> http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step6 > > http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step61 > : >> You will receive an email message containing two plain-text file >> attachments: one file containing this code-signing certificate and >> another file containing its own CA certificate, which authenticates its >> public key. Please also allow five business days from receipt of your >> request for processing. >> >> 5. Use keytool to import the certificates received from the CA. >> >> Once you have received the two certificates from the JCA Code >> Signing Certification Authority, you can use keytool to import them >> into your keystore. >> >> First import the CA's certificate as a "trusted certificate": >> >> keytool -import -alias <alias for the CA cert> \ -file <CA cert file >> name> \ -keystore <keystore file name> \ -storepass <keystore >> password> >> >> Then import the code-signing certificate: > ... > > This would seem to imply that you can add your own CA for code-signing > purposes. > > If you think about it, Sun once had developers too who presumably needed > to test their code without being given access to the official code > signing CA.
Marsh, I think you're assuming that that CA cert is self-signed. I'll bet it chains to a Sun CA, and must do so to work. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
