self-signed certificate : Java Glossary

2008-03-31 by Roedy Green ©1996-2009 Canadian Mind Products
index page for letter ⇒ punctuation 0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z (all)

self-signed certificate

aka free, phony code-signing certificates. Do you have to buy a digital certificate to let Applets bypass security? Yes and no. You can create yourself a free phony certificate with Keytool, or analogous tool for other types of certificate. It lets you run the signed Applet. However anyone can make a phony certificate with your name on it. It is marked as self-issued, rather than vouched for by Verisign or Thawte. Users out in the world would/should refuse to grant your Applet special privilege, since there is no guarantee you actually wrote the Applet and that it has not been tampered with. However, a phony certificate is useful for debugging while you await your real certificate to arrive — which can take months of farting about.

The hassle with using phony certificates is that they must be manually pre-installed on all the client’s machines before your signed Applets will be recognised. With real certificates, that step is not necessary. The built-in signing authority root certificate suffices. It is pretty awkward to pre-install certificates for the general public. Phony certificates are more feasible for strictly in-house use.

In theory, a self-signed certificate should suffice to authenticate code on your own website. Who else could have created the certificate? The need for validation only really comes into play verifying code floating about the net purportedly from you. A real certificate allows that verification, even without checking in any way with your website. In contrast, a digital signature with a phony certificate proves absolutely nothing.

Most users don’t understand even the most basic facts about certificates. They are thus overly frightened of self-signed certificates. So you will likely end up buying a real one eventually.

See signtool or keytool for details of how to create a phony certificate.

To create phony SMIME email authentication certificates in Windows use:

Why You Want A Real Certificate

A phony certificate gives no more protection than an unsigned Applet would have. It gives only the illusion of identification and security. The only time it has any security at all is when the certificate has been imported into the cacerts. or certificate repositories of all your clients by some secure means. It is easy to forge a phony certificate with any company’s name on it that you please. Unfortunately, the general public is unaware of this, and treat phony certificates with too much esteem. Phony certificates should be trusted equally to unsigned Applets. This is the reason I call them phony certificates rather that the exalted self-signed certificate. They are logically equivalent to forged certificates. On the other paw, I sign my Applets and Jawa Web Start apps with a phony certificate because I cannot afford a real one.
You don’t have to install your real certificate on client machines. The "factory "-installed authority root certificate suffices.
There is no way to automatically install a phony certificate on the machines owned by the general public. You have a catch-22. You need permission to install the certificate on local hard disk, but you need the installed certificate to get permission.
Phony certificates are only suitable for in-house use or for testing while you wait for your real one to arrive.
The public is less likely to trust a phony certificate and may refuse to run your Applet.
Similarly customers may refuse to use your secure connection with a phony SSL certificate. If you are too cheap to buy a cert, can you really be trusted with credit card numbers? Why don’t you want to present your id? You are advertising yourself as fly-by-night and Mickey Mouse. I have devised a scheme for secure transmission that does not rely on SSL certificates. See the Transporter.
You may accidentally give away your private key if you go around installing your certificate on many machines. I know of no way to export a certificate from Netscape without including your private key.

Starting with Java 1.4.1 the status of phony certificates has been elevated. The user is merely warned if a copy of your phony certificate is not in his cacerts. file. Previously you had to find some way to get it there; now it is merely desirable to do so.

certificates

	Please email your feedback for publication, errors, omissions, broken/redirected link reports and suggestions to improve this page to Roedy Green :
	Canadian Mind Products
	mindprod.com IP:[65.110.21.43]
	Your face IP:[38.103.63.62]	The information on this page is for non-military use only.
	You are visitor number 11.	Military use includes use by defence contractors.
	You can get a fresh copy of this page from:	or possibly from your local J: drive (Java virtual drive/mindprod.com website mirror)
	http://mindprod.com/jgloss/selfsignedcertificate.html	J:\mindprod\jgloss\selfsignedcertificate.html