I am working on an application (and applet) that needs to be signed (not just self-signed). I am looking at using GoDaddy.
Unlike most things in Java world, with code signing it does not seem to be easy to test things without putting out the cash first. So, I would like to ask some quick questions.
 for java signing, I imagine you can use any computer to sign the code (ie it does not need to be signed on the computer that is the webserver). Correct?
 Is there any relationship between the computer I use to sign the code and the signed code itself. For example, lets say I buy a code signing cert from godaddy, but then I change my development computer. Can I still use that same cert on a different comptuer, or is it somehow "linked" to the computer that is used? In other words, if my dev machine crashes, will I need to buy a new cert from GoDaddy (or wherever).
 Has anyone used GoDaddy for code signing. Are there any gotchas?
 I assume that once a code is properly signed, it should work on any platform with a proper JVM... correct?
Anyway, just thought I would ask these questions before I put out the cash with GoDaddy.
 I'm about 85% sure the answer to this question is you can use the same cert. It's been several years since I've had to do anything with applet signing in production.
 No, I didn't. The company I worked for bought the cert and I dont remember who from
Note that there are different classes of certificates, though, e.g. certificates that are meant to be used for SSL are bound to a specific server name - needless to say, that's not what you want.
 I didn't even know that GoDaddy was in the certificate business. Anyway if it is, the gotcha would be that the customer's browsers might not recognize their certificates as trusted. Browsers are shipped with code to recognize certificates from the well-known trust-sellers like Verisign and Thawte but not necessarily others. Perhaps GoDaddy has a sample applet which they can demonstrate their certificates with.
Paul Clapham wrote:the gotcha would be that the customer's browsers might not recognize their certificates as trusted. Browsers are shipped with code to recognize certificates from the well-known trust-sellers like Verisign and Thawte but not necessarily others.
Actually, these days the standard browsers ship with certificates from lots of providers - my Firefox has dozens of them, including GoDaddy. You can view them via Preferences -> Advanced -> Encryption -> View Certificates. (My list had several outdated certificates, and some by providers I considered suspect, so I deleted those.)
According to http://en.wikipedia.org/wiki/Certificate_authority#Providers, GoDaddy actually has a market share of >20%.