views:

15

answers:

2

Our Java code signing certificates expires in a month and we just renewed it with Verisign. I was assuming that that would be enough to avoid our clients from seeing any certificate related error messages.

Should we sign the jars again with the new certificate and redeploy it to the clients?

Thanks in advance

A: 

Yes. You have new signing certificates, and the versions currently deployed are signed with the old certificate, so it is like nothing changed for your users.

For your new certificate to be taken into account, you have to sign again your JAR files with the new certificate, and redeploy the new signed files to the clients.

Vivien Barousse
+1  A: 

Yes, you need to sign them again. The certificate itself will tell it's own expire date, and the certificate is deployed along with your package. It's an entirely new certificate you've got (even if the issuers often refer to it as a "renewal").

Installers and other verification software will usually not use the Internet to check the validity of the certificate. Instead, they will check the expire date in your certificate file (which is packed into the signed JAR file), and check the validity of the certificate by checking against the computes' built-in list of issuer certificates (CA). The only time the Internet is used in this process is to download a revocation list - a database of certificates revoked before their expiry date - but this will usually not be done in realtime, but on a scheduled basis.

Emil Vikström