Skip to main content

Still Using Applets? Sign Them, Or Else

Posted by cayhorstmann on January 16, 2014 at 10:10 AM PST

When Sun Microsystems introduced Java in 1995, applets were considered the killer feature for the business success of Java. Don

Comments

It's now a year later, and I had to redo the process. This ...

It's now a year later, and I had to redo the process. This time, I ran into a nasty snag. I picked up the certificate with Firefox/Linux and exported it. But signing with the certificate did not work. jarsigner reported

Warning: The signer's certificate chain is not validated.

And the applet wouldn't load. The Java Plug-in said it was self-signed.

The reseller told me to import it into Internet Explorer and export it again. I was dubious, but it did work. Apparently, Firefox doesn't have the Comodo cert inside, but IE does, and then it adds it to your key.

If you run into such an issue, run

keytool -storetype pkcs12 -list -v -keystore yourcert.pfx

If the certificate chain has length 1 (as it dd for me when exporting out of Firefox), then try the IE trick.

One feature of Amazon's EC2 Web Services is that you can ...

One feature of Amazon's EC2 Web Services is that you can download certificates in relation to your virtual server. Is it possible to use these certificates to sign Java applets with?

I have a fractal explorer applet at www.mandelmania.net, and as of this latest Java update, my applets are not able to run without changing the security level slider in the Java Control Panel or adding my website to the exception list.

My website is basically built around this applet, and it is frustrating to think that I will have to buy a certificate just to keep my website "alive".

Unfortunately, you will have to get a certificate that is ...

Unfortunately, you will have to get a certificate that is signed by one of the root certificate that is trusted by the Java runtime. You can find out which ones they are by running the Java Control Panel (jcontrol from the command line if you have the jre/bin directory on your PATH). Look at Security -> Manage certificates -> Secure Signer CA -> System.

Amazon is not listed there. Like I said, the least inexpensive route seems to be a Comodo reseller such as KSoftware or Tucows, which is close to $100 and a few fun hours of arguing with Comodo's outsourced staff on whether you are really yourself. If anyone has a cheaper/better way, I'd love to know.