Code Signing Certificate Compatibility Chart

M. Gallant 07/6/2001

The table below summarizes issues with using both "test" and "official" code-signing certificates, generated by the different vendor tools, and deployment of the corresponding signed JAR archives to the Netscape browser native JVM and the JavaPlugin environments. Most of the information is specific to the win32 platform. In the table below, SSC refers to a "Self Signed" code signing certificate (also called a "test" or "phony" cert) generated by either Netscape signtool.exe or Sun Java 2 SDK keytool.exe. For a commercial "proper" certificate issued by a CA (Certificate Authority) service, the issuer's certificate is referred to as CAC. These "root" certificates are typically distributed with commercial browsers, and some are also included in the Java 2 SDK cacerts certificates file. Fails means that the security manager will not suceed in verifying the identity of the certificate. Warns indicates the certificate is not recognized but the signature is verified and optionally allows execution of the applet. OK indicates that certificate recognition and signature verification has passed and the signed applet will be allowed to execute with the requested privileges.


Netscape Native JVMJavaPlugin Deployment
Netscape signtool1.3 Certificates:
Fails if SSC or CAC is NOT in Netscape "Signers" list;

OK otherwise

Fails for SSC: signature file issue
  • Plugin 1.22 : Fails : Plugin authentication problem
  • Plugin 1.3.0 : Fails if CAC is not in MS cryptoAPI database; OK otherwise
  • Plugin 1.3.0_01, 1.3.0_02: Fails if CAC is not in J2RE cacerts file; OK otherwise
  • Plugin 1.3.1, 1.4.0b: Warns if CAC is not in J2RE cacerts file; OK otherwise
Sun JDK Certificates:
Fails for SSC or CAC: JAR formatting issue.
  • Plugin 1.21, 1.22, 1.3.0 : Fails if SSC or CAC is not in MS cryptoAPI database; OK otherwise
  • Plugin 1.3.0_01, 1.3.0_02: Fails if SSC or CAC is not in J2RE cacerts file; OK otherwise
  • Plugin 1.3.1, 1.4.0b: Warns if SSC or CAC is not in J2RE cacerts file; OK otherwise