Signed Patches Administration Guide for PatchPro 2.2

Sun Certificates That Verify Signed Patches

Digital certificates, issued and authenticated by Sun Microsystems, are used to verify that the downloaded patch archive with the digital signature has not been compromised.

Sun PKI Registration Authorities

The SunTM Public Key Infrastructure (Sun PKI) architecture is designed with one top-level certificate and a subordinate certificate authority (CA). The top-level certificate is called the Root CA. The subordinate CA is called the Sun Microsystems, Inc. CA (Class B) certificate. An additional certificate, the patch signing certificate, is issued by Sun EnterpriseTM Services and verifies the digital signatures on signed patches.

Sun certificates are issued by Baltimore Technologies, who recently bought GTE CyberTrust.

The Sun Root CA and the Sun Class B CA are available from http://www.sun.com/pki/ca. The patch signing certificate is included in the SUNWppro package.

These three certificates provide a certificate chain of trust in the patch verification process. The Sun Root CA certifies the Class B CA, and the Class B CA certifies the patch signing certificate. And ultimately, the GTE CyberTrust CA certifies the Sun Root CA.

A certification authority certifies the relationship between public keys and the owner of the public keys. The public keys are used to validate the digital signature that is found in the patch JAR file.

The Sun CA process means that the following statements are true:

For information about Sun's certificate policy, see http://www.sun.com/pki/cps.html.

Revoked Sun Certificates

If the Sun Root or Class B certificates are stolen or lost, the certificates are revoked. A revoked certificate list is posted at http://www.sun.com/pki/ca/pkismica.crl.html.

View this site occasionally to verify that your imported certificates are still valid. If your imported certificates are revoked, remove them from your keystore and import replacement certificates.

If the patch signing certificate is revoked, the existing signed patches on the SunSolve Online site will be replaced by patches that have a new digital signature.