Should we redeploy jars after renewing with the same CSR?

Our Java code signing certificates expires in a month and we just renewed it开发者_Go百科 with Verisign. I was assuming that that would be enough to avoid our clients from seeing any certificate related error messages.

Should we sign the jars again with the new certificate and redeploy it to the clients?

Thanks in advance

Yes, you need to sign them again. The certificate itself will tell it's own expire date, and the certificate is deployed along with your package. It's an entirely new certificate you've got (even if the issuers often refer to it as a "renewal").

Installers and other verification software will usually not use the Internet to check the validity of the certificate. Instead, they will check the expire date in your certificate file (which is packed into the signed JAR file), and check the validity of the certificate by checking against the computes' built-in list of issuer certificates (CA). The only time the Internet is used in this process is to download a revocation list - a database of certificates revoked before their expiry date - but this will usually not be done in realtime, but on a scheduled basis.

As discussed with digicert support team

No, not if you used the timestamp parameter in the signing process.

Notice in this example here: https://www.digicert.com/code-signing/java-code-signing-guide.htm#jarsigner

The -tsa http://timestamp.digicert.com parameter

That makes it so that your signature is valid for the foreseeable future. You do not need to renew and resign that specific file if you used the timestamp

You would only need to renew your certificate to sign future new jar files you create

Yes. You have new signing certificates, and the versions currently deployed are signed with the old certificate, so it is like nothing changed for your users.

For your new certificate to be taken into account, you have to sign again your JAR files with the new certificate, and redeploy the new signed files to the clients.