java cacerts file vs MS windows trusted root certificate authoritiesstore

Hi all,

when verifying a digital signature, does java check the MS windows
trusted root certificate authorities store?
if so, which has the highest priority the cacerts file or the OS
store? if the CA was listed in the windows store but not in the
cacerts file, would java still trust it?

i've been scouring all over on the internet but i couldn't find any
document on the subject.

steven acer

steven acer wrote:

> when verifying a digital signature, does java check the MS windows
> trusted root certificate authorities store?

Not that I'm aware of.

> i've been scouring all over on the internet but i couldn't find any
> document on the subject.

Me either, but new root certificates always lead to a new update
of the Java Virtual Machine, so if there would be such a feature
this wouldn't be necessary.


Regards, Lothar
--
Lothar Kimmeringer E-Mail:
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

Lothar Kimmeringer

On Nov 5, 12:42*am, Lothar Kimmeringer <news200...@kimmeringer.de>
wrote:
> steven acer wrote:
> > when verifying a digital signature, does java check the MS windows
> > trusted root certificate authorities store?
>
> Not that I'm aware of.
>
> > i've been scouring all over on the internet but i couldn't find any
> > document on the subject.
>
> Me either, but new root certificates always lead to a new update
> of the Java Virtual Machine, so if there would be such a feature
> this wouldn't be necessary.
>
> Regards, Lothar
> --
> Lothar Kimmeringer * * * * * * * *E-Mail: spamf...@kimmeringer.de
> * * * * * * * *PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)
>
> Always remember: The answer is forty-two, there can only be wrong
> * * * * * * * * *questions!

too bad. my company is trying to install its own CA server so that we
can issue certificates to all our employees to use them in our in
house java application.
Now this would mean we have to manually add the company's certificate
to the cacerts file on each client machine since the changes in the
Windows certificate store would be irrelevant for java and would go
unnoticed by it.
maybe this would convince them to authenticate with a certificate
authority.

steven acer

steven acer wrote:

> too bad. my company is trying to install its own CA server so that we
> can issue certificates to all our employees to use them in our in
> house java application.
> Now this would mean we have to manually add the company's certificate
> to the cacerts file on each client machine since the changes in the
> Windows certificate store would be irrelevant for java and would go
> unnoticed by it.

What do you want to use the certificate for? If it's for SSL
and other similar stuff, you can solve that by using your own
TrustManager within your in house application.


Regards, Lothar
--
Lothar Kimmeringer E-Mail:
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

Lothar Kimmeringer

On Nov 5, 1:43*pm, Lothar Kimmeringer <news200...@kimmeringer.de>
wrote:
> steven acer wrote:
> > too bad. my company is trying to install its own CA server so that we
> > can issue certificates to all our employees to use them in our in
> > house java application.
> > Now this would mean we have to manually add the company's certificate
> > to the cacerts file on each client machine since the changes in the
> > Windows certificate store would be irrelevant for java and would go
> > unnoticed by it.
>
> What do you want to use the certificate for? If it's for SSL
> and other similar stuff, you can solve that by using your own
> TrustManager within your in house application.
>
> Regards, Lothar
> --
> Lothar Kimmeringer * * * * * * * *E-Mail: spamf...@kimmeringer.de
> * * * * * * * *PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)
>
> Always remember: The answer is forty-two, there can only be wrong
> * * * * * * * * *questions!

we will use them for electronic signature.

steven acer

steven acer wrote:

> On Nov 5, 1:43*pm, Lothar Kimmeringer <news200...@kimmeringer.de>
> wrote:
>>
>> What do you want to use the certificate for? If it's for SSL
>> and other similar stuff, you can solve that by using your own
>> TrustManager within your in house application.
>
> we will use them for electronic signature.

http://www.pankaj-k.net/archives/200...ing_windo.html
Other ways (newer than five years) might be possible as well (GIYF)


Regards, Lothar
--
Lothar Kimmeringer E-Mail:
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

Lothar Kimmeringer

On Nov 6, 1:54*pm, Lothar Kimmeringer <news200...@kimmeringer.de>
wrote:
> steven acer wrote:
> > On Nov 5, 1:43*pm, Lothar Kimmeringer <news200...@kimmeringer.de>
> > wrote:
>
> >> What do you want to use the certificate for? If it's for SSL
> >> and other similar stuff, you can solve that by using your own
> >> TrustManager within your in house application.
>
> > we will use them for electronic signature.
>
> http://www.pankaj-k.net/archives/200...ing_windo.html
> Other ways (newer than five years) might be possible as well (GIYF)
>
> Regards, Lothar
> --
> Lothar Kimmeringer * * * * * * * *E-Mail: spamf...@kimmeringer.de
> * * * * * * * *PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)
>
> Always remember: The answer is forty-two, there can only be wrong
> * * * * * * * * *questions!

thanks Lothar, i think it would me much easier to authenticate with a
trusted certificate authority and construct a chain of trust for our
certificates, it will us save a lot of headache.

Best

steven acer