0 Replies Latest reply: Aug 28, 2013 2:20 PM by 66715356-cba7-40fe-b31b-f5a5defdfbb7 RSS

    JCE Provider and Expiring Signing Certificate


      Good day everyone.


      Long story short, some time ago we implemented a JCE provider, signed it using a code signing certificate from Sun, and distributed it with one of our products.  That certificate will expire in the not too distant future.  We are going through the process of acquiring a new code signing certificate, and I have no real concerns or questions about that.  I do, however, have a question regarding what might happen to some of our installations if we are unable to update the JAR before the certificate expires.


      I believe, based on some documentation that I have found (link below), that the application will continue to function just fine.  According to the documentation, as of JCE 1.2.2, the implementation will accept expired (but correctly signed) JAR files and not complain.


      Java Archive Downloads - Java Platform Technologies


      I have tested this locally by setting my workstations clock to a future date beyond the expiration of our current code signing certificate.  The test showed no degradation in function, but I can't say I really tested everything.


      I was wondering if anyone had some more definitive knowledge of what will happen to an application attempting to use a JCE Provider contained in a JAR that has been signed with an expired code signing certificate.  A link to a bit more recent documentation, perhaps?  I'd even take a few anecdotes as supporting evidence.