Wednesday, May 23, 2012

Cheapest Java Code Signing Certificate? (not self-signed)


Does anyone know where I can get an inexpensive Java code signing certificate? Everywhere I look wants $200 to $300 per year! Unfortunately I cannot use a self-signed one, I'm trying to get rid of the scary warnings so that users will be more likely to accept my application. And as far as I know (per this question ), it has to be a code signing certificate, it cannot be a SSL certificate.



Source: Tips4all

8 comments:

  1. What about startssl? They offer code signing certificates for 49.90$ for 2 years (with wild card capabilities). I haven't tried using it, so no guarantees, but it looks good.

    ReplyDelete
  2. How about $80 a year? Tucows apparently resell for Comodo at their Author Site. Again, apparently, they give further discount for 3 years (~$199).

    I can't confirm any of this without creating an account there (which is, frankly, above my pay grade) but if it is that much and it does work with Java, $66 a year for 3 years doesn't seem too steep.

    Hopefully GoDaddy will add this to their bag of tricks one day.

    Edit!

    The prices are as follows:


    1 year for $75
    2 years for $140 ($10 saving)
    3 years for $195 ($30 saving)


    And by the looks of things, they can be used for signing Java apps. Happy days.

    ReplyDelete
  3. You can tell if a CA's certs will work for Java code-signing by examining the Java cacerts file, which lists all the CAs known to Java. If their cert is in this file, then Java will not complain about the signed code. If it isn't, then it will warn the users. For example:

    root@girflet:~# keytool -list -keystore /usr/lib/jvm/java-6-sun-1.6.0.15/jre/lib/security/cacerts | grep comodo

    Enter keystore password: changeit

    comodoaaaca, 02-May-2006, trustedCertEntry,

    Note that I had to enter the default keystore password, changeit. This command should work on Windows as well, although you'll have to change the path to the cacerts file and you won't have grep. Use more instead and page through until you find or don't find what you're looking for.

    As of today, Comodo is in the cacerts file, and startssl aren't. So a startssl cert wouldn't be much good for Java code.

    ReplyDelete
  4. You can also get heavily discounted Comodo certificates from:


    Lindersoft: $79 for one year, $200 for 3 years, plus a 25$ membership fee
    K Software: $99 per year

    ReplyDelete
  5. Cheapest I can find is $149/year (if you buy 3 years at once) from GlobalSign. Not great, I know!

    ReplyDelete
  6. Comodo has code-signing certs for $179.95/year and you only need to buy 1 year. They don't talk about Java. I don't know if they are different than what you use to sign Microsoft based stuff.

    ReplyDelete
  7. Thanks for note about Comodo and Tucows/author page.
    I've just finished the whole process and it's exactly as said before - it works with java CA certs (I've checked java 1.6 on winXP and 1.6 on mac os x) with no problem. And it's much cheaper then verisign/thawte.

    Last 4 years I was buying 2-year ones from thawte, but not anymore.
    The only thing you have to do is:


    export this cert to *.p12 file (it depends on your OS, on mac os is just simple as right click on this cert and choose "export" option :))
    import this cert into new keystore (java one) which is recognized by jarsigner, something like this:
    keytool -importkeystore -v -srckeystore exported-file-name.p12 -srcstoretype PKCS12 -destkeystore dest-keystore-filename-for-use-with-jarsigner


    Additionally you can change the alias (mine was "klucz z secure.comodo.net") to something better :) But it's not necessary, just for convenient.

    best regards, and thanks again for this tip (3 years for $195 ;-))

    ReplyDelete
  8. Another good option (don't know how long this will last) is http://www.discountcodesigning.com/ They give you a real GlobalSign certificate for $99 (usually $229).

    Despite the lack of branding, the site is run by GlobalSign themselves, and was registered just over two months ago. I have a feeling that they're doing price-testing to see how many more sales they get.

    ReplyDelete