The ultimate solution is to add your in-house CA root certificate to User Signer CA, and add the certificate for jar signing to User Trusted Certificate. The relationship between added certificate and physical file is shown below.
Assumption:
In the client machine --
In-house CA Certificate File = C:\certs\cacert.pem (this is the same file as C:\OpenSSL\CA\private\cacert.pem)
Certificate for jar signing = C:\cert\adkeystore.der (this is the same file as in $APPL_TOP/admin)
The JRE is installed using all default installation settings, and no extra tweaking has been done on top of it.
(1) Set a local variable for keystore location:
set KEYSTORE_LOC=%USERPROFILE%\AppData\LocalLow\Sun\Java\Deploymenr\security
(2) Add in-house CA Certificate to User Signer CA:
keytool -import -alias symplik_ca -file C:\certs\cacert.pem -file -keystore %KEYSTORE_LOC%\trusted.cacerts -storepass "" -noprompt
(3) Add certificate for jar-signing to User Trusted Certificate:
keytool -import -alias ebs12appltop -file C:\certs\adkeystore.der-file -keystore %KEYSTORE_LOC%\trusted.certs -storepass "" -noprompt
Show whether it is really added:
keytool -list -keystore %KEYSTORE_LOC%\trusted.certs -storepass ""
ebs12appltop, Nov 1, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 6B:28:5C:28:A6:D1:5A:32:EE:E7:47:37:DB:B1:EB:BB:8C:4D:46:AD
(4) Turn off the certificate revocation check, and launch the form, and accept the warning.
Do a list of certificate of the keystore trusted.certs and you will find the original alias has changed:
keytool -list -keystore %KEYSTORE_LOC%\trusted.certs -storepass ""
deploymentusercert$tsflag$loc=http//papaya.symplik.com:8020java.util.random@19b0d0, Nov 1, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 6B:28:5C:28:A6:D1:5A:32:EE:E7:47:37:DB:B1:EB:BB:8C:4D:46:AD
Turn the certificate revocation check in Java Control Panel on again.
So, the key to make the User-Trusted Certificate not being checked for revocation is to use a connect ALIAS NAME, in a format of:
deploymentusercert$tsflag$loc=[url]:[port]
I found out the last part (java.util.random@xxxx) is not really needed.
What it means is that instead of using an arbitrary alias name in step (3), you need to to use a proper alias name to import this certificate:
keytool -import -alias "deploymentusercert$tsflag$loc=http//papaya.symplik.com:8020"
-keystore %KEYSTORE_LOC%\trusted.certs -storepass "" noprompt
So, to do the mass deployment of self-signed certificate to client machines, you can:
- Replace the files trusted.cacerts and trusted.certs in employees desktop, as you prepared in step (2) and (4), or
- Prepare a batch file to run the keytool commands, which fetch the certificate files from somewhere from the corporate LAN. This method will able to preserve any certificates added in client JRE before this deployment.
1 comment :
in powershell, looks like :
.\keytool -import -alias symplik_ca -file C:\certs\cacert.pem -file -keystore &KEYSTORE_LOC\trusted.cacerts -storepass '""' -noprompt
Note : this works only for a keystore already created with no password, via control panel java for example. If the trusted.cacerts doesn't already exist, a password must be specified instead of ""
Post a Comment