You can create your own certificate using a variety of tools, including the free Adobe AIR SDK. This option is free and fast, but because a commercial certification authority has not issued these certificates, they will not be trusted on most machines. Certificates can also be purchased from certification authorities. Thawte (www.thawte.com), for example, offers a certificate purchase process specific to Adobe AIR. Certificates issued by commercial CAs are trusted on most machines.
Regardless of how they are obtained, certificates are issued for different purposes. Adobe AIR requires certificates that are specifically designated for use in code signing. For example, you can create a certificate for signing documents with Adobe Reader, but this certificate cannot be used to sign AIR applications, as the intended purposes differ. Code signing certificates are generally interchangeable; Authenticode certificates (www.authenticode.com), for example, can be used to sign AIR applications.
Gruesome Details of Getting Certificates
The technical process of obtaining a certificate can be listed as four basic steps:
- A key-pair is generated. The private key of the pair must remain a secret and so the person who wishes to obtain the certificate must generate it locally.
- A certificate-signing request is created. This request includes the public key and identifying information such as your name; most of this same information is placed in the certificate itself. This request is sent to the certification authority.
- A certificate is created; it contains your public key, name, and other information and is signed by a (private) key controlled by the certification authority. The certification authority then returns this signed certificate to the requestor.
- The certificate and the original private key are reassociated by the requestor in some keystore.
If you create your own certificate (for example, via the "adt" tool in the Adobe AIR SDK, www.adobe.com/products/air/tools/sdk), then these four steps happen at the same time. The output of the adt command to create a new certificate is the keystore created in step 4, containing both the certificate and the new private key. The certificate is signed with its own private key in step 3, which is why certificates you create in this manner are called "self-signed." If you purchase a certificate, then these steps are somewhat more involved and begin with determining your purchasing process. Although this may seem surprising at first, it is your browser that handles the client-side aspects of each of these steps. Less surprisingly, not every certificate purchasing process is compatible with every browser. The Adobe AIR process provided by Thawte is compatible with Mozilla-based browsers, such as Firefox. We selected this process in conjunction with Thawte because it provides a uniform purchase process across all platforms Adobe AIR supports. Other types of code signing certificates have other browser requirements. For example, purchasing Authenticode certificatesMicrosoft's branded version of code signing certificates for use on Windowsrequires the use of Internet Explorer. Imagine that.
Thawte, Adobe AIR Certificates, and Firefox
Adobe collaborated with Thawte, a member of the Verisign family, to create a process for purchasing certificates for use with Adobe AIR. Obtaining a certificate via this process consists of the following steps. These are not detailed instructions; for that, please see the documentation. This list is just intended to give you a feel for what's involved.
- Visit the Thawte website and select the Adobe AIR Developer Certificate. You must use Firefox.
- Complete the Thawte enrollment process step. Your key pair is generated during this step and the private key is stored in the Firefox keystore.
- Thawte performs an identity verification process and may request additional information. For example, Thawte uses public records to validate the existence of your business. They will also validate that you are authorized to request a certificate for the business. (Thawte, like most certification authorities, issues certificates only to businesses or organizations, not individuals.)
- Once you've been notified that verification is complete, you'll log back into the Thawte website. The certificate is saved to the Firefox keystore.
- The Adobe signing tools can't directly access the Firefox keystore, so you'll have to export your keys and certificate into a PKCS12-based keystore file. (These files conform to the PKCS12 standard and are identified with either a .pfx or .p12 extension.)
Now you have a usable signing certificate. However, you should consider moving your key to a hardware-based keystore.
Using Authenticode Certificates
You aren't required to purchase an Adobe AIR Certificate from Thawte. You can use any certificate that is intended for code signing as designated by the extended key usage field in the certificate itself. Most certificates sold as code signing certificates qualify, including ones you might already own.
For purposes of example, here are the basic steps required to use an Authenticode certificate with Adobe AIR. Note that it's really just a matter of getting the certificate into an appropriate format.
- First, find and download the pvkimprt tool provided by Microsoft. This loads your Authenticode certificate into the Windows keystore.
- From the Windows keystore (accessible via Internet Options, among other places) export the certificate as a PFX file.
However you obtain your certificate, you need to e nsure that the final keystore contains a full certificate chain.
Signing can be performed using a variety of applications including Adobe Flex Builder, Adobe Flash, Adobe Dreamweaver, and Aptana. All of these applications rely on the adt tool, which is freely available as part of the Adobe AIR and Flex SDKs.