Certificate chain and Java Web Start

K

kenshiro2000

Hi,

I have an application as a JAR file with other JAR libraries. All
these files are signed with a certificate that I have generated with
my own CA (OpenSSL).

The trusted chain is this: rootCA.cer ->subCA1.cer ->jws.cer

jws.cer was generated with a Certificate Sign Request through the java
KEYTOOL and then my CA has signed this request. After done this, I
have put the jws.cer in the same keystore of the request but to do
this I needed to put the rootCA.cer and subCA1.cer before in the
keystore.

The keystore has now three certificates and the key pair of jws.cer.
This certificate works good to sign the JAR files.

Is it all good?

When I call this application with Java Web Start a popup always
appears and say "Certificate is valid, etc. etc.". All it's good but
pop-up is shown anyway.

I have inserted the rootCA and subCA1 certificate in the client Java
Web Start certificate store but the pop-up is always shown.

Why this?

Is It not enough to install the CA certificate (and then the SubCA
certificate) in the JavaWS certificate (client) store to not have the
pop-up visualization?

Thanks
 
A

Andrew Thompson

Noticed your (no reply) post on the JWS forum
a day or so ago, and decided to pass it up as
security is not one of my specialties.
OTOH now that we are here where I can speak more
freely (those Sun forums are v. restrictive) I
thought I'd chime in..

I am not sure what the behaviour of a trusted
key chain is supposed to be, with web start,
though your expectation of 'no prompt' seems
logical to me.

OTOH, I am interested in why you are wanting to
do it this way. It does not make much sense for
either an individual user (they can approve it
once and be done with it) or general users
'out on the internet', the only place it makes
any sense is for a 'bunch of machines' over
which a SysAdmin or similar needs to install
a particular trusted app.

So, what is the set up you face, that this
makes sense?

Andrew T.
 
K

kenshiro2000

Thanks for your reply (I have noticed that SUN forum are not very
responsive),

I try to explain you my needs. I have this application in an Intranet
environment. I would distribute the rootCA certificate at every client
machine in the client store of JWS and delete the pop-up confirm to
trust the certificate (JWS) of the application deployed via JWS. Note
that the JAR application on the sever has the entire chain of trust...

I hope now it is more clear :)

thanks
 
A

Andrew Thompson

Thanks for your reply

You lack of future 'top posting' will be
thanks enough.*
..(I have noticed that SUN forum are not very
responsive),

* I would not feel comfortable mentioning
the above, on the Sun forums, because some
'delicate soul' might find it offensive,
and report me. Here, thay can still get
offended, do as they please, and it affects
me not one bit. ;-)
I try to explain you my needs. I have this application in an Intranet
environment.

OK - thanks for confirming.

Now I am not *sure* this will work, I
have not tried it myself, but..

Perhaps you should try doing a 'silent
import' of the application.

As I understand it, the 'import' aspect
gives you the power to install a web start
app. from the command line or script, and
with the added 'silent', it should (AFAIU)
remove those dialogs.

See the docs. for the javaws tool, for
details on using those options.

I'd be interested to hear how it goes..

Andrew T.
 
K

kenshiro2000

You lack of future 'top posting' will be
thanks enough.*


* I would not feel comfortable mentioning
the above, on the Sun forums, because some
'delicate soul' might find it offensive,
and report me. Here, thay can still get
offended, do as they please, and it affects
me not one bit. ;-)


OK - thanks for confirming.

Now I am not *sure* this will work, I
have not tried it myself, but..

Perhaps you should try doing a 'silent
import' of the application.

As I understand it, the 'import' aspect
gives you the power to install a web start
app. from the command line or script, and
with the added 'silent', it should (AFAIU)
remove those dialogs.

But I wouldn't want a silent installation. JWS should trust the
application sign because this signature is done through a certificate
trusted by a rootCA certificate (and the subCA) that is in the client
JWS store. I don't understand why the pop-up appears anyway!

If JWS works as a Web Browser, rootCA certificate in the browser
certificate store should trust SSL connection and no pop-up appears.

So why for javaws the pop-up appear anyway?


Sorry for TOP POSTING ;-)

thanks

ken
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top