Please share your experience with SSL certificates & code signing

In talking about donations, the prospect of buying SSL certificates for the jME3 SDK came up. Donations are going pretty well (an update is coming) and we figure we might as well start evaluating our options.



We’ve started doing some research and between the core members we probably have the necessary knowledge to not screw this up, but we’d still love to hear from the community at large on this one. Recommend SSL providers, share tips & tricks, tell horror stories and whatever else you think we ought to be aware of before we throw your money at somebody.

1 Like

SSL certificates is easy to obtain and is easy to configure in apache. For jME I think a Domain Validated certificate is enough (more “secure” is just a waste of money). At work we use a AlphaSSL wildcard certificate and that works great for us. At home I use a StartSSL certificate (they are free and I do not care that much about the security there :P)!



The bad news is that in general (AFAIK) the certificate for code signing cannot be used as SSL certificates and vice versa so we need two of them. Also the Code Signing ones seems to be more expensive than regular SSL certificates for some reason, they are essentially the same thing…

Personally I think all of the official CAs are a bunch of beep beep DigiNotar beep, mostly based on the greedily short validity times they arbitrarily put into the certificates. I would prefer that jME had its own self-signed CA-cert and we all spent 1 hour each to write a tutorial on the first page instructing users on how to install it as trusted in their browser of choice.



That said, I sure can understand if we want to use SSL for parts of the website and not scare people of with security warnings :slight_smile: I would suggest looking at the CAs in the mozilla root program.

http://www.mozilla.org/projects/security/certs/policy/

http://www.mozilla.org/projects/security/certs/included/



And as kwando says, the SSL certificates aren’t valid for code signing. Is that also in the scope?

1 Like

Code signing is being discussed. In theory we should be able to install our own root cert in the SDK and use it to sign the plugins/core libraries/etc - but being able to sign things like the native libraries, demo applets, etc would be beneficial too.

@zarch said:
Code signing is being discussed. In theory we should be able to install our own root cert in the SDK and use it to sign the plugins/core libraries/etc - but being able to sign things like the native libraries, demo applets, etc would be beneficial too.

Yes, I explained Normen how to do that.

He still wants a code signing certificate for applets, so that we can:
1) Use native bullet without scary dialog
2) Have our name instead of JOGL's or LWJGL's name on the signature.

Other than that I see no reason for getting a code signing certificate.