Reputation: 1943
Should we redeploy jars after renewing with the same CSR?
Our Java code signing certificates expires in a month and we just renewed it with Verisign. I was assuming that that would be enough to avoid our clients from seeing any certificate related error messages.
Should we sign the jars again with the new certificate and redeploy it to the clients?
Thanks in advance
Upvotes: 1
Views: 706
Answers (3)
Reputation: 541
As discussed with digicert support team
No, not if you used the timestamp parameter in the signing process.
Notice in this example here: https://www.digicert.com/code-signing/java-code-signing-guide.htm#jarsigner
The -tsa http://timestamp.digicert.com parameter
That makes it so that your signature is valid for the foreseeable future. You do not need to renew and resign that specific file if you used the timestamp
You would only need to renew your certificate to sign future new jar files you create
Upvotes: 2
Reputation: 91983
Yes, you need to sign them again. The certificate itself will tell it's own expire date, and the certificate is deployed along with your package. It's an entirely new certificate you've got (even if the issuers often refer to it as a "renewal").
Installers and other verification software will usually not use the Internet to check the validity of the certificate. Instead, they will check the expire date in your certificate file (which is packed into the signed JAR file), and check the validity of the certificate by checking against the computes' built-in list of issuer certificates (CA). The only time the Internet is used in this process is to download a revocation list - a database of certificates revoked before their expiry date - but this will usually not be done in realtime, but on a scheduled basis.
Upvotes: 2
Reputation: 20895
Yes. You have new signing certificates, and the versions currently deployed are signed with the old certificate, so it is like nothing changed for your users.
For your new certificate to be taken into account, you have to sign again your JAR files with the new certificate, and redeploy the new signed files to the clients.
Upvotes: 0
Related Questions
- What happens if the certificate of a signed jar (with timestamp) expires
- This jar contains entries whose signer certificate will expire within six months
- can we resign the already signed jars in java?
- Is it possible to re-sign a Java applet with a newer certificate?
- Renewed code signing certificate does not work
- Renew certificate with Java Keytool - reuse old CSR?
- JarSigner - What does happen after expiration
- Java 7 Update 51 web start signing jar files
- Update Java code signing cert post deployment
- How to renew a jar signature?