I signed my applet using .pfx file. But when I run my web page it shows "UNKNOWN publisher warning".
I also have another certificate .cer (How to check that its a code signing certificate)[I got it from another person and he is also not sure].
So to sign applet, do I need special certificate say "Code Signing" certificate? Or I'm missing something?
A digital certificate that is generated by me or you will read UNKNOWN in that dialog. The reason is that if you can make a certificate claiming that you are you, I can just as easily make a certificate claiming that I am you.
In order to avoid lying to the end-user, Oracle just reports 'unknown' for those 'self signed' applications.
Get a code-signing certificate with a key-chain pointing back to a Certification Authority (who take steps to verify the identity claimed by the applicant - and overcharge to do it), and the dialog will show the author.
See also this answer to Signing a jar file with trusted certificate for JWS deployment for the intricacies of showing the author.
Related
My JWS application jar is signed1 and when I launch that certificate it does not ask for anything and simply throws an exception saying your application has been blocked.
If I install that certificate it works, but how I force my application to give a message to install certificate so that it is installed automatically? I want something like as shown below.
I have created a certificate using keytool -genkey and then using jarsigner signed that jar file.
I have created a certificate..
These days, signed code needs to be signed using a digital certificate issued by a certification authority. There is really no way around it (or if there was, it would be a security bug - and be quickly fixed).
The digital certificate created by us as developers has no 'key chain' that points back to a Certification Authority that issues certificates after verifying the identity of the person that requested the certificate. Because CAs are trusted to check these details, Sun/Oracle imports some of their 'root certificates' into the JRE security system. Any certificate that has a key chain that points back to one of those certificates will show the dialog as seen in the screen shot.
It is all about security for the end user. Since I can generate a certificate with the JDK claiming I am you, the JRE won't accept the certificate no matter who makes it - unless the certificate has been issued by a CA.
I have an app delivered via Java Web Start that is signed with an official certificate provided by Verisign, and also a self-signed certificate that we have generated. This is done because we restrict use of the official certificate for the build delivered to customers, but we need to have our test builds signed by a certificate to get the application loaded at all.
My question is; is it normal that Java 7b55 still shows security warnings for the self-signed certificate, even though the official certificate is present? I would expect the official certificate to take precedence but it appears to be not the case.
Just wondering if anyone else has hit this or if it's unique to my environment..
Its shouldn't.... Unless you are using 1 keystore to perform all this.
Sounds like you are using your self signed keystore that is paired up with the private key inside and that you may have imported the official VeriSign one into the same keystore without matching up with the private key in the inside. Which is probably why the Official VeriSign certificate is not getting read during signing
Usually in situation like yours there should be two keystores. 1 with the self signed and another with the Official Signed certificate.
~DomSYMC
I have a small javafx2 application that is used in the office. Some guys run it from Firefox, some run it as a desktop app. Webstart is great.
The current approach is that I have added this to the jnlp file:
<security>
<all-permissions/>
</security>
Then created a key in a keystore using the keytool:
keytool -genkey -keystore yourKeystore -alias keyname
And I sign all jar files that are to be on the user's PC using jarsigner:
jarsigner -keystore ./myapp.keystore -storepass xxx -keypass yyy <path to jar file> keyname
So the user either starts the app using the shortcut file (the jnlp file) on their desktop, or they browse to the app in Firefox. This works great, except nowadays we get this dialog that says:
Running applications by UNKNOWN publishers will be blocked in a future
release
and I am worried about what will happen when that future release is out.
I do not have a deep understanding about all this code signing thing. I know that it works by embedding some binary data into files that is used to prove that the releaser of the app is a company/individual that is recognized by the Certificate Authority (and this is what jarsigner does AFAIK). Certificates are recognized by OSes like Windows and Linux, by webbrowsers like Firefox and Safari and Java also recognizes certificates at 2 levels, user and system. There are widely accepted Certificate Authorities (like Verisign) that are recognized by default in OSes like Windows and Linux. I know that webbrowsers also recognize some Certificate Authorities, but I think the list they recognize can be different from the list the OS recognizes. I guess Java also recognizes some but I do not know what. I also know that I can have system level configured keystores in Java by specifying the keystore in ~/.java/deployment/deployment.properties, deployment.system.security.trusted.certs. If I do not want to pay for a certificate, I can create my own (this is what I was doing) so my certificate is from an UNKNOWN publisher. What I was hoping for that if I specify my keystore via deployment.system.security.trusted.certs then it will solve this problem for the office but apparently it does not, which I do not understand because in this case the system administrator says that he recognizes this certificate. So now I am thinking about making a certificate using makecert in windows which can then be pushed down to client PCs via GPO. My understanding is that this will create certificates that are recognized by the OS, but I do not know if makecert made certificates would be treated the same way as e.g. verisign certificates in Windows, in Firefox and also in Java. And I do not know if UNKNOWN refers to a list within java or it refers to the fact that the Certificate Authority is not recognized by the OS.
My questions:
If someone could fix the mistakes I made in the above description I would appreciate it. I believe I am misunderstanding something, but I do not know what.
I just cannot believe that Webstart won't work unless we pay for a certificate. I guess what we need is a mechanism that a sysadmin can say that he wants the office PCs to recognize a given certificate. Does anyone have an idea how to do this in the future?
If we have to purchase a certificate, could someone please let me know what to watch out for or how that works in general? Can I use jarsigner the same way?
If we have to purchase a certificate, is there a list of Certificate Authorities out there that we can pick from? Obviously I want to go for the cheapest as I find this an administrative overhead.
Thank you for your help.
My setup that works with JRE7u40 and JRE8 is this:
I have a self-signed cert for my certificate authority (CA). This cert must be trusted by the system (e.g. add it to Java Control Panel / Security / Certificates / Signer CA, but there may be other ways to make your CA trusted).
Then I have a code publisher certificate, signed by my CA. I use this cert to sign all my code (jars).
Furthermore, if you want all permissions for your code, I suggest these MANIFEST.MF attributes as QDH minimum (since JRE7u40, if I remember):
Permissions: all-permissions
Codebase: *
Trusted-Library: true
Trusted-Only: true
First time you run such application, you will still see the security warning because runtime is unable to ensure that code signer certificate was not revoked by its CA.
However, now you have the option to permanently accept this publisher (code signer certificate), and if you do, the code signer certificate will be added to trusted publishers (Java Control Panel / Security / Certificates / Trusted Certificates) and you won't see such warning again.
If you want to avoid this step, I guess you have to setup your CA infrastructure properly to support certificate revocation verification. I assume that includes some extra attributes in your CA certificate and availability of special certificate revocation service. For intranet deployment, you may skip that.
I created a self signed certificate but the browser tells me "This CA Root Certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store".
I did by going into IE --> Internet Options --> Content --> Certificates --> ect... I actually had to export the self signed certificate and then import it into the Trusted Root Certification. Only after the certificate was located under the ROOT store in the users machine that IE did not display any WARNINGS.
This will be deployed in a production environment, so having the users manually do the above steps is unacceptable.
How can I automatically do this? I just want them to accept and not have that "Certificate Error" and have the URL bar turned "RED" in IE.
I'm using Tomcat 5.5. I also followed the same steps as in the Tomcat SSL How To Tutorial http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Thanks in advance.
Java 6 provides a cryptographic provider named SunMSCAPI to access the windows cryptography libraries API. This provider implements a keystore "Windows-Root" containing all Trust Anchors certificates.
It is possible to insert a certificate in this keystore.
KeyStore root = KeyStore.getInstance("Windows-ROOT");
root.load(null);
/* certificate must be DER-encoded */
FileInputStream in = new FileInputStream("C:/path/to/root/cert/root.der");
X509Certificate cacert = (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(in);
root.setCertificateEntry("CACert Root CA", cacert);
The user will be prompted if for confirmation. If the operation is canceled by the user then a KeyStoreException is thrown.
Some technotes about the provider can be found here: http://download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunMSCAPI
Think about it. If this were possible, what would stop any fraudulent site from doing the same thing and making it look like their site was trusted? The whole point is that the user HAS to OK the certificate installation.
First of all, possibility to do this would compromise user's security, so it would be a security hole, so no, there's no easy way to do this.
Next, different software has different certificate stores. Microsoft and Chrome browser use CryptoAPI stores, Firefox has it's own store (Chrome can also use firefox's one AFAIK). Adobe's software has it's own store (in addition to CryptoAPI one).
I am implementing a VB.NET desktop application which consumes a web service.
The web service implemented in Java and I currently using Tomcat on my localhost to host the web service.
The web service requires secure communication with the client and so I have followed instructions that outlined how to use Java's keytool.exe to create two .jks keystores (one for the client and one for the server) and then create two .cer certificates (one for the client and one for the server)
I have placed the keystores and certificates generate into the directory where the web service is expecting them (according to the instructions)
I have installed the certificates into TrustedPeople and have attempted to use the certificate by setting the ClientCredentials.ClientCertificates property like this:
myServiceProxy.ClientCredentials.ClientCertificate.SetCertificate(storeLocation.CurrentUser, StoreName.TrustedPeople, X509FindType.FindByIssuerName, "name")
I keep getting the following error message when I try to call any method:
An error was discovered processing the <wsse:Security> header
My problem is that I don't know how to use this in the VB.NET client application that is consuming the web service. I could be doing this completely wrong. Any guidance on this topic would be greatly appreciated.
Thank you,
-Frinny
While I haven't coded VB for 10 years, this should get you started: http://www.example-code.com/vbdotnet/ssl_client_certificate.asp
especially this looks like it is loading the file containing the certificate:
certStore.LoadPfxFile("chilkat_secret.pfx","secret")
and this extracts the certificate and uses it for the connection:
Dim cert As Chilkat.Cert
cert = certStore.FindCertBySubjectCN("Chilkat Software, Inc.")
If (cert Is Nothing ) Then
MsgBox(certStore.LastErrorText)
Exit Sub
End If
socket.SetSslClientCert(cert)
When I had to work with certificates and WS, I had lots of issues with the them too. Use the certificates MMC and verify:
That you placed the certificate in the correct place. Note that there is a CurrentUser store, Machine Store etc. Make sure you put the certificate in the correct one according to your code.
Which user is running your application? Is the certificate located in it's store? The certificate must be visible to the user.
Open the certificate and make sure it is trusted (you will see a warning if not). You may need to put your CA's certificate in Trusted Certification Authorities store.
Make sure that the algorithms you use on each side are supported by the other side.
Note that you are looking for the certificate by issuer name X509FindType.FindByIssuerName, "name" open the certificate, make sure the issuer name matches (I guess not since it seems like copy&paste from example).
If all of this fails, try to experiment with the certificate location (I vaguely remember some issue with being able to use certificates from one location and not the other), and with the property you use to search for the certificates.
Plus, since you asked about certificates I answered about certificates. It's a good idea to check if there's an inner exception and see - it may be another problem.