@sma: I thought I recreated that less than 2 months ago... weird. I don't even know how to see how old it is
I'll redo it again I guess. As for the other certificate types you mentioned... I don't know of them. If they cost money, I don't think I'll go for it any time soon
I'm a broke college kid who has enough trouble getting gas money.
I tried you game again, and it's still the same invalid certificate
To check certificates, there're at least two ways. If you get the Webstart security warning dialog, click on "Details." An ugly (it seems the Java Webstart team is unable to create anything but ugly dialogs with bad usability) dialog with certificate details opens. It shows a number of fields from the certificate.
But let me first try to explain how an X509 certificate based public key infrastructure (PKI) is supposed to work.
RSA or DSA based cryptography can be used to sign data, assuring both that nobody tampered with the data and that the data is indeed from the person who said so.
You have a pair of keys (very long numbers) which are used to encrypt or decrypt data. One key must be kept private, the other can be published. Data encrypted with the private key can only be decrypted with the matching public key (I won't go into details why this is so). This way, assuming that the private key was really kept private, I can take your public key and verify that the data you said you encrypted were really encrypted by you - nobody else could have done it without the matching private key.
So to sign something, you compute a cryptographic hash (MD5 or SHA1 are two well known algorithms) and encrypt that hash value. This is called signing. The encrypted hash value is the signature. The cryptographic hash has two important features: changing a single byte will result in a diffferent hash value and you cannot recreate the data just from the hash value.
Now, to verify the signature, I need to hash the data myself (using the same algorithm of course), decrypt your encrypted hash value and compare both values. Is is called signature verification.
I need your public key for that and this is where certificates come into play. A certificate is a (trusted) statement that a certain public key is from a certain person.
That person is the so called "subject" of the certificate. The certiciate stores a so called X500 name, which is that funny looking C=US, ST=North Carolina, L=Greensboro string, something that predates the idea of an URL. It says that you're from the US, state NC, town Greensboro and so on. That X500 name is supposed to identify you.
But anybody could have created that certificate, just taking a public key and adding that X500 name.
Therefore, certificates are always issued by a trusted authority. Some other person I need to trust. That "issuer" says by signing the whole certificate that the subject data is correct. Signing a certificate works exactly like signing any other data and as you might guess, this is a recursive thing.
To verify the signature of the certificate, I need the certificate of the issuer. And I need to trust that certificate. Therefore, one talks about certificate chains which establish trust from a really trusted certificate authority (also called CA) to your certificate.
Most webstart applications (unfortunately) use self-signed certificates where the guy who created the certificate simply says "trust me". That's of course of no real value and computely bogus if it comes to real security. I could recreate your self-signed certificate to the byte. Anybody could.
Better let a trusted authority sign your certificate. Unfortuntely, these authorities normally take money for that service
If a CA signs a certificate, it assigns a serial number (which can be used to revoke a certificate later on - for example if the private key leaked into the public) and a validity. A certificate is only valid for so many months.
You should be able to see all that information in the details dialog of Webstart. Your certificate expired "Sat Dec 18 22:55:12 CET 2004"
I said that there's a second way to look into certificates. Windows comes with a nice viewer that opens automatically if you double click on a "*.cer" file. You can export those files from a Java keystore. Unix fans can use the mighty openssl tool to print certificate details.
But I talked more about certificates I ever wanted and add a few comments to the game in my next posting.