Customer Support » ObjectSign Certificate Support » FAQ

How does Internet Explorer grant extra power to applets?
How does Netscape grant extra power to applets?
How do I Code Sign my files using Microsoft authenticode tools?
How do I Code Sign my files using Netscape ObjectSign tools?
What happens if I code sign an applet with a valid certificate which has expired in the meantime?
Which Browser versions are required for code signing?
Does GlobalSign provide test ObjectSign certificates?
Do I Need to purchase a different ObjectSign certificate to Sign applets for Internet Explorer and Netscape?
If I use a browser that does not know GlobalSign, what are the steps I need to do to download an applet signed with a GlobalSign certificate?
How to transform your certificate to a pvk + spc combination.

How does Internet Explorer grant extra power to applets?

You first have to code sign an archive containing your applet. When the archive is loaded by Internet Explorer, it will immediately ask the user if he trusts the developer. If yes, then the applet runs with full access to the user's machine. If no, then Explorer tries to load the applet using the individual .class files; if it succeeds, it runs the applet with restricted permissions.

How does Netscape grant extra power to applets?

You must add code to your applet that requests permission to do any "dangerous" actions, and then sign an archive containing the applet. Your code will need to use Netscape-specific Java classes called the "Netscape Capabilities API". When the applet is loaded by Navigator it will be constrained by the sandbox or restricted set of permissions. When the applet requests permission to do a "dangerous" action the user will be asked if he trusts the developer; if the answer is "no" then the request fails (but the applet keeps running); if the answer is "yes" then the request succeeds and the applet may use the specified "dangerous" capability.

How do I Code Sign my files using Microsoft authenticode tools?

The files must be wrapped into a .cab archive and then signed with a Microsoft Authenticode ID

How do I Code Sign my files using Netscape ObjectSign tools?

The files must be signed with a Netscape Code Signing Certificate (creating a "manifest" of the files), and then the files and manifest must be wrapped into a .jar archive.

What happens if I code sign an applet with a valid certificate which has expired in the meantime?

Netscape's tools won't let you sign an applet with an expired certificate. However, Navigator will treat an applet signed with a currently-expired certificate the same as an applet signed with a still-valid certificate. Microsoft's tools allow you to attach an unforgeable timestamp to your archive. Archives which were timestamped and signed with valid certificates will be treated as secure even after the certificate expires; archives that were not timestamped or were timestamped after the certificate had expired will be reported as suspect.

Which Browser versions are required for code signing?

Netscape Navigator, version 4.0 and above
Microsoft Internet Explorer on Windows, version 4.0 and above

Does GlobalSign provide test ObjectSign certificates?

Yes, you can use a GlobalSign Class 1 demo certificate for code signing.

Do I Need to purchase a different ObjectSign certificate to Sign applets for Internet Explorer and Netscape?

Unfortunately yes, there are technological differences between Microsoft Authenticode and Netscape Object Signing so that applets signed with Microsoft technology won't be recognised under netscape nor applets signed with Netscape won't be recognised under microsoft. You currently need a different certificate for each platform

If I use a browser that does not know GlobalSign, what are the steps I need to do to download an applet signed with a GlobalSign certificate?

Actually the only thing the customer will have to do when downloading the applet is to trust the publisher and normally he should be presented a dialog box asking whether he wants or not to trust that publisher and should the user choose "yes" then the publisher will be stored in his security database, so that the customer won't deal with a security dialog box if he's downloading an applet signed by the same publisher. If he chooses "no" then he will need to grant access next time he tries to download an applet signed by the same publisher.