I developed an application that uses Java Webstart. It needs write access to the disk so it has to be signed, but it would only be used by a limited group of users so I don't want to pay for a trusted certificate.
What is the easiest option to let the users trust my application/self signed certificate? I don't want them to use keytool because it is not really user friendly. I though about creating a certificate that can be imported via the Java Control Panel and first tried creating an importable certificate using the following commands:
keytool -genkeypair -keystore patrickgotthard.jks -alias patrickgotthard
keytool -exportcert -keystore patrickgotthard.jks -alias patrickgotthard -file patrickgotthard.cer
But it is not possible to import the generated .cer file. Then I found Cannot import certificate into java control panel and used the following command:
keytool -genkey -alias patrickgotthard -keystore patrickgotthard.p12 -storetype pkcs12
But as far as I understand, the .p12 file also contains my private key - I don't think that the private key should be shared?! Can you tell me how to create a self signed certificate that can be imported via Java Control Panel but does not contain my private key? Or do you know a better solution for my problem?
In this scenario, it may be sufficient to check the SHA1 fingerprint associated with the self-signed certificate used to sign the JAR:
Sign the JAR with your self-signed certificate.
Use keytool -v -list to determine your certificate's fingerprint.
Communicate the certificate's fingerprint in a mutually agreed way.
Instruct user's to add your secure site to the Exception Site List in the Security tab of the Java Control Panel; this allows the user to retain the minimum recommended security level setting, High.
At the security prompt, click on More Information to compare the communicated fingerprint with the one received.
This approach does not confer trust, but it reduces the risk of the user accepting an altered JAR.
Addendum: The article Self-signed certificates for a known community discusses how to export a self-signed certificate. Members of the community can then import the certificate as warranted.
I was developing Java Web Start app years ago with NetBeans. It did everything for me automatically.
You just have to put permissions tags in JNLP file.
Also 6 month after I had problems to create a new self-signed certificate.
But self signed app still works. (many years after, no modification, certs to install)
Clients do not have to install any certificates.
It just warns everytime when it starts that is signed with self signed cert.
Another option is to have this "limited group of users" lower the security level for Java. In Windows, you go to the Control Panel->Java and then one of the tabs is for Security (sorry on my mac right now and it is not quite the same). I believe that if you push that security level lower to Medium, you can get away with the self-signed certificate.
Related
I have a small javafx2 application that is used in the office. Some guys run it from Firefox, some run it as a desktop app. Webstart is great.
The current approach is that I have added this to the jnlp file:
<security>
<all-permissions/>
</security>
Then created a key in a keystore using the keytool:
keytool -genkey -keystore yourKeystore -alias keyname
And I sign all jar files that are to be on the user's PC using jarsigner:
jarsigner -keystore ./myapp.keystore -storepass xxx -keypass yyy <path to jar file> keyname
So the user either starts the app using the shortcut file (the jnlp file) on their desktop, or they browse to the app in Firefox. This works great, except nowadays we get this dialog that says:
Running applications by UNKNOWN publishers will be blocked in a future
release
and I am worried about what will happen when that future release is out.
I do not have a deep understanding about all this code signing thing. I know that it works by embedding some binary data into files that is used to prove that the releaser of the app is a company/individual that is recognized by the Certificate Authority (and this is what jarsigner does AFAIK). Certificates are recognized by OSes like Windows and Linux, by webbrowsers like Firefox and Safari and Java also recognizes certificates at 2 levels, user and system. There are widely accepted Certificate Authorities (like Verisign) that are recognized by default in OSes like Windows and Linux. I know that webbrowsers also recognize some Certificate Authorities, but I think the list they recognize can be different from the list the OS recognizes. I guess Java also recognizes some but I do not know what. I also know that I can have system level configured keystores in Java by specifying the keystore in ~/.java/deployment/deployment.properties, deployment.system.security.trusted.certs. If I do not want to pay for a certificate, I can create my own (this is what I was doing) so my certificate is from an UNKNOWN publisher. What I was hoping for that if I specify my keystore via deployment.system.security.trusted.certs then it will solve this problem for the office but apparently it does not, which I do not understand because in this case the system administrator says that he recognizes this certificate. So now I am thinking about making a certificate using makecert in windows which can then be pushed down to client PCs via GPO. My understanding is that this will create certificates that are recognized by the OS, but I do not know if makecert made certificates would be treated the same way as e.g. verisign certificates in Windows, in Firefox and also in Java. And I do not know if UNKNOWN refers to a list within java or it refers to the fact that the Certificate Authority is not recognized by the OS.
My questions:
If someone could fix the mistakes I made in the above description I would appreciate it. I believe I am misunderstanding something, but I do not know what.
I just cannot believe that Webstart won't work unless we pay for a certificate. I guess what we need is a mechanism that a sysadmin can say that he wants the office PCs to recognize a given certificate. Does anyone have an idea how to do this in the future?
If we have to purchase a certificate, could someone please let me know what to watch out for or how that works in general? Can I use jarsigner the same way?
If we have to purchase a certificate, is there a list of Certificate Authorities out there that we can pick from? Obviously I want to go for the cheapest as I find this an administrative overhead.
Thank you for your help.
My setup that works with JRE7u40 and JRE8 is this:
I have a self-signed cert for my certificate authority (CA). This cert must be trusted by the system (e.g. add it to Java Control Panel / Security / Certificates / Signer CA, but there may be other ways to make your CA trusted).
Then I have a code publisher certificate, signed by my CA. I use this cert to sign all my code (jars).
Furthermore, if you want all permissions for your code, I suggest these MANIFEST.MF attributes as QDH minimum (since JRE7u40, if I remember):
Permissions: all-permissions
Codebase: *
Trusted-Library: true
Trusted-Only: true
First time you run such application, you will still see the security warning because runtime is unable to ensure that code signer certificate was not revoked by its CA.
However, now you have the option to permanently accept this publisher (code signer certificate), and if you do, the code signer certificate will be added to trusted publishers (Java Control Panel / Security / Certificates / Trusted Certificates) and you won't see such warning again.
If you want to avoid this step, I guess you have to setup your CA infrastructure properly to support certificate revocation verification. I assume that includes some extra attributes in your CA certificate and availability of special certificate revocation service. For intranet deployment, you may skip that.
Signing jar in Java, I have followed these three step to sign
keytool -genkey -keystore myKeyStore -alias me
keytool -selfcert -keystore myKeyStore -alias me
jarsigner -keystore myKeyStore jarfile.jar me
My questions are as follows :
After that I have run my applet, why it shows author is unknown?
I can able to give -validity no of days for my jar, what is the maximum days I can give?
The certificate you have created is a self-signed one. Only certificates that has been signed by one of the trust centers marked as trusted in the Java settings are shown as "verified author".
The validity does not have anything to to how long your JAR file will work. The validity period only marks the time you can use the certificate (or better the private key that belongs to the certificate) for signing
As noted in the keytool Validity Period,
Each certificate is valid only for a limited amount of time. This period is described by a start date and time and an end date and time, and can be as short as a few seconds or almost as long as a century.
As Both #Andrew and #Robert note, professional software requires a professionally signed certificate. For casual use, a self-signed certificate can be used among people who share another channel of trust. It can also aid in rejecting a false claim of misprision.
A writes an open source program, signed A.
B adds malware and, unable to sign A, signs B.
C mistakenly obtains B's version and accuses A of the crime.
A can verify that tampering has occurred.
It shows as 'Author unknown' unless the digital certificate is certified by a key chain back to a CA (certification authority) such as Verisign. The problem with the 'self signed' certificate is that while you can create a certificate that claims you are who you are, other people can also make certificates that claim they are who you are. Since one 'self-signed' certificate is as good as the next to positively identify you (I.E. worthless), the JRE states 'author unknown'.
I am not sure, though I recall using 5000 days in previous certificates. Perhaps the real question is, how long is it worth claiming you are who you are, on a certificate that the JRE will never trust enough to even show the identity? If this is for a commercial product, I strongly recommend getting the verification done (it can be expensive). It would not hurt even for a widely distributed free product.
I need to send a POST request to a server that uses some levels of security. Unfortunately I don't know much about self signed certificates, I never used or studied it.
In the developer guide of the service it sais that the server uses a "public 1024-bit self signed certificate".
What does it mean? I've to create a certificate or I've to ask for it?
If i've to create a certificate, then how I should use it?
I'm implementing the client in Java
You need to download the certificate e.g. with your internet browser. Click through the security information and export the certificate.
Then you need to import it into your local java keystore so that the JVM can find it. For import use the keytool which you find in your jre/bin directory. Documentation for the keytool: http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
The default keystore is jre/lib/security/cacerts.
Then you can import the downloaded certificate:
jre/bin/keytool -import -keystore jre/lib/security/cacerts -alias mycertificate -file downloads/mycertificate.cer
Hope this helps.
P.S. If it is self signed or verified its not important at this point. Just you (your client) must trust it.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
I want to make the web application accessible from https in java. I am newbie in this field. I have read from some blog that it can be make by producing some sort of certificate to identity. Is there have any site providing to produce free certificate?Can i have any blog or site to refer.
thanks
You need an SSL certificate approved by a CA (certificate authority) so your clients will not get a warning in their browsers when they use your webapp. For such a certificate to be obtained, you generally have to pay some money to the CA. However, for testing purposes you can use a self-signed certificate.
You can generate a self-signed certificate and put it on your server. Later you can replace it with a real certificate. If you already have the real certificate, just skip to step 2 of my answer. The methods for generating a self-signed certificate differ but basically you have to do the following (abstraction):
1. Generate a self signed certificate:
You can use numerous tools and programs for that but somehow I find the most popular ways to generate a self signed certificate are:
a) java's keytool - http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
b) openssl - http://www.sslshopper.com/article-most-common-openssl-commands.html
Both methods are absolutely equivalent and it is a matter of preference which one you use (I use openssl)
2. Put this certificate in your servlet container/application server.
There are many servlet containers and application servers and the instructions for putting the certificate there vary even between different versions of the servers/containers and chosen configuration. Below I will list the ones I believe are most popular with youth nowadays...
a) tomcat 7 - http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
b) glassfish - http://artur.ejsmont.org/blog/content/how-to-generate-self-signed-ssl-certificate-for-glassfish-v3-and-import-it-into-java-keyring
c) jbossWeb (Servlet Container) - http://docs.jboss.org/jbossweb/3.0.x/ssl-howto.html
You will need an SSL certificate to serve an SSL application. The issue with an SSL certificate is that it needs to be trusted by the browser, so if you are having people use the application you need to get a real SSL certificate from a certificate provider, like Godaddy or many others. For testing purposes you can make a "self-signed" certificate which can be used, but the client using the browser will get warnings indicating problems with the certificate.
There is no way to get a real SSL certificate for free.
I trust from this answer you can make the appropriate google queries to get you on your way.
I realise this is very old thread, but you can get nowadays free certificates from a CA (Certificate Authority) called Let's Encrypt. Obtaining a certificate is quite easy using Certbot ACME protocol client (Automatic Certificate Management Environment) https://certbot.eff.org/. The client requires root access in your server.
1) Install Cerbot using certbot-auto script
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help
2) Fetch a license either using standalone plugin or webroot plugin. Standalone opens a small server to port 80 or 443 so either port must be free. Webroot uses an existing running server. With standalone run command
certbot-auto certonly --standalone --standalone-supported-challenges http-01 -d yourdomain.com
With both webroot plugin and standalone plugin the certonly option certbot will fetch a certificate and store it to /etc/letsencrypt/live/.
3) Certificates from Let's Encrypt are short lived (only 90 days) so remember to renew those
certbot-auto renew
4) After you have your certificate, you need to convert it to PKCS12 format and store it to Java keystore.
openssl pkcs12 -export -in /etc/letsencrypt/live/yourdomain.com/fullchain.pem -inkey /etc/letsencrypt/live/yourdomain.com/privkey.pem -out /etc/letsenscrypt/live/yourdomain.com/pkcs.p12 -name mytlskeyalias -passout pass:mykeypassword
keytool -keystore /path/to/my/keystore -delete -alias ‘mytlskeyalias’ -storepass ‘mystorepassword’
keytool -importkeystore -deststorepass mystorepassword -destkeypass mykeypassword -destkeystore /path/to/my/keystore -srckeystore /etc/letsencrypt/live/mydomain.com/pkcs.p12 -srcstoretype PKCS12 -srcstorepass mykeypassword -alias mytlskeyalias
All steps are described in more detail in https://vaadin.com/blog/-/blogs/enabling-https-in-your-java-server-using-a-free-certificate
Then follow Nikola Yovchev's links for specific Servlet Containers to enable SSL/TLS.
Is it possible to use a server certificate to sign a java web start app? What I want to know is if will it work. I have a trusted certificate for my server, and I would like to reuse the same certificate to sign an app.
Right now, I have this warning:
This jar contains entries whose signer certificate's ExtendedKeyUsage
extension doesn't allow code signing. This jar contains entries whose
signer certificate's NetscapeCertType extension doesn't allow code
signing.
Will I be able to launch my app without the warning that the certificate is not trusted?
You will get warning if you don't use a code signing certificate. For most CA, code signing cert costs more than the server cert. In my opinion, this is just a marketing scheme to make you to pay for another cert. There is no technical difference between two certs. Some CA may provide combo deals with usage for both.
I assume you have created the JKS file using the KEY and CRT of your SSL and hence you get the error..
I have a simple solution here:
As you know you can create a JKS using the following command
keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias
and when you use this JKS you get self signed certification message which is absolutely fine to make the app live at Google play store.. But buying code signing certificate is good if you can afford it ..