views:

33

answers:

1

I need a little insight into some authentication issues in adobe AIR. Three related facts that fit into my question:

  1. Whenever accessing my https:// site from my AIR application, I get the untrusted site warning
  2. When I build an AIR app, I don't have a paid-for certificate, so I sign it myself for now
  3. My site (that gives the untrusted warning when I access it inside the AIR app) does have a paid-for certificate (issuer Comodo - via DreamHost)

I'm not quite sure what the most reasonable solution to this is. So I have a couple tightly-coupled questions, and I'm not sure which one or several are applicable. They might be the same thing, or they might be separate. But I would love to have some light shed on this.

  1. Is Comodo just not a "good enough / approved" CA issuer for Adobe, and that's why it complains?
  2. Is there any way around this? Something I can put in my crossdomain.xml or something?
  3. Can I use my CA cert that I have already paid for, to sign the AIR apps?
  4. If 3 is true, will what I have work or will it only work with a different issuer?

Can someone explain the difference, if any, between the certificate used to sign the AIR apps, and the certificate used to do the SSL authentication, and if I can reuse what I have?

+1  A: 

Does your browser see the certificate as valid when you navigate to it?

There is no reason why AIR should be complaining about your website certificate. It looks like it might be worth checking your JRE proxy settings, according to the Adobe docs:

ADT uses the Java runtime environment proxy settings, when appropriate, for connecting to Internet resources for checking certificate revocation lists and obtaining time-stamps. If you encounter problems connecting to Internet resources when using ADT and your network requires specific proxy settings, you may need to configure the JRE proxy settings

Having said that, I've never run into issues with the JRE proxy settings. If AIR does see the certificate as invalid, there is no way around it (except to install the certificate onto the machine).

If that's the case, you'd want to talk to either Comodo or Adobe about the problem.

Can someone explain the difference, if any, between the certificate used to sign the AIR apps, and the certificate used to do the SSL authentication, and if I can reuse what I have?

You'll need to generate a code signing certificate as they include the Extended Key Usage extension, which basically describes the certificate as a "code signing certificate".

You won't be able to reuse your website certificate, but your subscription to Comodo might allow you to generate a code signing cert.

Richard Szalay
@richard: thanks. the weird thing is that now that i test it again a few weeks later, i do not get the certificate warning any more. perhaps there is a propagation delay at comodo. can you elaborate more on generating a code-signing certificate? the wikipedia link is fairly generic on the point.
eruciform
Sounds like it was indeed a propagation delay. You'll need to get a code-signing certificate through Comodo, though it may not be part of your existing deal with them. As long as it's an x509v3 cert with the Extended Key Usage extension, it will be fine. Comodo's code certs appear to be here: http://www.comodo.com/e-commerce/code-signing/code-signing-certificate.php
Richard Szalay
@richard: thanks a lot for the help!
eruciform

related questions