• Home |
• Contact Us |
• Certificate Centre Login

Global Support Centre > Code Signing > FAQs

Why does Firefox ask me for a Master Password?
Firefox insists that the user sets up a Master password before they request a GlobalSign ObjectSign or PersonalSign certificate, and will ask the user for that password when they come to install their certificate. It is very easy to set up a Master password, simply open Firefox and go to Tools > Options > Security > select Use a master password and enter then confirm a password of your choice > OK.

---

XPI Extensions For Firefox

To sign an XPI object (Firefox plugin), you need to export the codesigning cert out of IE as PKSC#12 including intermediary certificates (very helpful if first a 'Friendly name' is given to the Codesigning cert in IE through 'Edit Properties')

You import the cert into Mozilla's database using pk12util -i "certificate.pfx" -d .

Before using it however you need to set the Codesigning flags as follows:

certutil -M -t "CT,C,C" -n "GlobalSign" -d .

certutil -M -t "CT,C,C" -n "GlobalSign Primary Object Publishing CA - GlobalSign nv-sa" -d .

certutil -M -t "CT,C,C" -n "GlobalSign Object Publishing CA - GlobalSign nv-sa" -d .

Then you can sign using:

signtool -d . -k "friendly name" xpidirectory/

---

Should I install the ActiveX control?
If you are using Windows and Internet Explorer, in step 2 of your online certificate request a yellow bar will appear at the top of the screen.

Please click on the yellow bar and continue to install the Active-X driver as instructed. The installation will only take a few moments and will ensure the certificate request is made on your browser. If you continue to the next step and the Active-X driver has not been installed the box labelled Cryptographic Service Provider will not be selectable

The box labelled Cryptographic Service Provider on Step 5 should appear, if it does not, go back and make sure you install the Active-X Driver.

---

How does Internet Explorer grant extra power to applets?
You first have to code sign an archive containing your applet. When the archive is loaded by Internet Explorer, it will immediately ask the user if he trusts the developer. If yes, then the applet runs with full access to the user's machine. If no, then Explorer tries to load the applet using the individual .class files; if it succeeds, it runs the applet with restricted permissions.

---

How does Netscape grant extra power to applets?
You must add code to your applet that requests permission to do any "dangerous" actions, and then sign an archive containing the applet. Your code will need to use Netscape-specific Java classes called the "Netscape Capabilities API". When the applet is loaded by Navigator it will be constrained by the sandbox or restricted set of permissions. When the applet requests permission to do a "dangerous" action the user will be asked if he trusts the developer; if the answer is "no" then the request fails (but the applet keeps running); if the answer is "yes" then the request succeeds and the applet may use the specified "dangerous" capability.

---

How do I Code Sign my files using Microsoft authenticode tools?
The files must be wrapped into a .cab archive and then signed with a Microsoft Authenticode ID

---

How do I Code Sign my files using Netscape ObjectSign tools?
The files must be signed with a Netscape Code Signing Certificate (creating a "manifest" of the files), and then the files and manifest must be wrapped into a .jar archive.

---

What happens if I code sign an applet with a valid certificate which has expired in the meantime?
Netscape's tools won't let you sign an applet with an expired certificate. However, Navigator will treat an applet signed with a currently-expired certificate the same as an applet signed with a still-valid certificate. Microsoft's tools allow you to attach an unforgeable timestamp to your archive. Archives which were timestamped and signed with valid certificates will be treated as secure even after the certificate expires; archives that were not timestamped or were timestamped after the certificate had expired will be reported as suspect.

---

Which Browser versions are required for code signing?
Netscape Navigator, version 4.0 and above Microsoft Internet Explorer on Windows, version 4.0 and above

---

Does GlobalSign provide test ObjectSign certificates?
No, we are currently unable to offer a free demo certificate. However, all GlobalSign certificates come with a full 7 day refund policy.

---

How many times can I use my Code Signing Certificate?
You can use your certificate to sign an unlimited number of applications within the lifespan of the certificate.

---

Do I Need to purchase a different ObjectSign certificate to Sign applets for Internet Explorer and Netscape?
No, there are no technological differences between Microsoft Authenticode and Netscape Object Signing, you may use the Microsoft Authenticode to sign applets in Netscape

---

If I use a browser that does not know GlobalSign, what are the steps I need to do to download an applet signed with a GlobalSign certificate?
Actually the only thing the customer will have to do when downloading the applet is to trust the publisher and normally he should be presented a dialog box asking whether he wants or not to trust that publisher and should the user choose "yes" then the publisher will be stored in his security database, so that the customer won't deal with a security dialog box if he's downloading an applet signed by the same publisher. If he chooses "no" then he will need to grant access next time he tries to download an applet signed by the same publisher.