Certificate chain and Java Web Start

Discussion in 'Java' started by kenshiro2000, Mar 28, 2007.

  1. kenshiro2000

    kenshiro2000 Guest

    Hi,

    I have an application as a JAR file with other JAR libraries. All
    these files are signed with a certificate that I have generated with
    my own CA (OpenSSL).

    The trusted chain is this: rootCA.cer ->subCA1.cer ->jws.cer

    jws.cer was generated with a Certificate Sign Request through the java
    KEYTOOL and then my CA has signed this request. After done this, I
    have put the jws.cer in the same keystore of the request but to do
    this I needed to put the rootCA.cer and subCA1.cer before in the
    keystore.

    The keystore has now three certificates and the key pair of jws.cer.
    This certificate works good to sign the JAR files.

    Is it all good?

    When I call this application with Java Web Start a popup always
    appears and say "Certificate is valid, etc. etc.". All it's good but
    pop-up is shown anyway.

    I have inserted the rootCA and subCA1 certificate in the client Java
    Web Start certificate store but the pop-up is always shown.

    Why this?

    Is It not enough to install the CA certificate (and then the SubCA
    certificate) in the JavaWS certificate (client) store to not have the
    pop-up visualization?

    Thanks
    kenshiro2000, Mar 28, 2007
    #1
    1. Advertising

  2. On Mar 28, 7:17 pm, "kenshiro2000" <> wrote:

    Noticed your (no reply) post on the JWS forum
    a day or so ago, and decided to pass it up as
    security is not one of my specialties.
    OTOH now that we are here where I can speak more
    freely (those Sun forums are v. restrictive) I
    thought I'd chime in..

    I am not sure what the behaviour of a trusted
    key chain is supposed to be, with web start,
    though your expectation of 'no prompt' seems
    logical to me.

    OTOH, I am interested in why you are wanting to
    do it this way. It does not make much sense for
    either an individual user (they can approve it
    once and be done with it) or general users
    'out on the internet', the only place it makes
    any sense is for a 'bunch of machines' over
    which a SysAdmin or similar needs to install
    a particular trusted app.

    So, what is the set up you face, that this
    makes sense?

    Andrew T.
    Andrew Thompson, Mar 28, 2007
    #2
    1. Advertising

  3. kenshiro2000

    kenshiro2000 Guest

    Thanks for your reply (I have noticed that SUN forum are not very
    responsive),

    I try to explain you my needs. I have this application in an Intranet
    environment. I would distribute the rootCA certificate at every client
    machine in the client store of JWS and delete the pop-up confirm to
    trust the certificate (JWS) of the application deployed via JWS. Note
    that the JAR application on the sever has the entire chain of trust...

    I hope now it is more clear :)

    thanks

    On 28 Mar, 13:09, "Andrew Thompson" <> wrote:
    > On Mar 28, 7:17 pm, "kenshiro2000" <> wrote:
    >
    > Noticed your (no reply) post on the JWS forum
    > a day or so ago, and decided to pass it up as
    > security is not one of my specialties.
    > OTOH now that we are here where I can speak more
    > freely (those Sun forums are v. restrictive) I
    > thought I'd chime in..
    >
    > I am not sure what the behaviour of a trusted
    > key chain is supposed to be, with web start,
    > though your expectation of 'no prompt' seems
    > logical to me.
    >
    > OTOH, I am interested in why you are wanting to
    > do it this way. It does not make much sense for
    > either an individual user (they can approve it
    > once and be done with it) or general users
    > 'out on the internet', the only place it makes
    > any sense is for a 'bunch of machines' over
    > which a SysAdmin or similar needs to install
    > a particular trusted app.
    >
    > So, what is the set up you face, that this
    > makes sense?
    >
    > Andrew T.
    kenshiro2000, Mar 28, 2007
    #3
  4. On Mar 28, 11:07 pm, "kenshiro2000" <> wrote:
    > Thanks for your reply


    You lack of future 'top posting' will be
    thanks enough.*
    <http://www.physci.org/codes/javafaq.html#toppost>

    >..(I have noticed that SUN forum are not very
    > responsive),


    * I would not feel comfortable mentioning
    the above, on the Sun forums, because some
    'delicate soul' might find it offensive,
    and report me. Here, thay can still get
    offended, do as they please, and it affects
    me not one bit. ;-)

    > I try to explain you my needs. I have this application in an Intranet
    > environment.


    OK - thanks for confirming.

    Now I am not *sure* this will work, I
    have not tried it myself, but..

    Perhaps you should try doing a 'silent
    import' of the application.

    As I understand it, the 'import' aspect
    gives you the power to install a web start
    app. from the command line or script, and
    with the added 'silent', it should (AFAIU)
    remove those dialogs.

    See the docs. for the javaws tool, for
    details on using those options.

    I'd be interested to hear how it goes..

    Andrew T.
    Andrew Thompson, Mar 28, 2007
    #4
  5. kenshiro2000

    kenshiro2000 Guest

    On 28 Mar, 15:32, "Andrew Thompson" <> wrote:
    > On Mar 28, 11:07 pm, "kenshiro2000" <> wrote:
    >
    > > Thanks for your reply

    >
    > You lack of future 'top posting' will be
    > thanks enough.*
    > <http://www.physci.org/codes/javafaq.html#toppost>
    >
    > >..(I have noticed that SUN forum are not very
    > > responsive),

    >
    > * I would not feel comfortable mentioning
    > the above, on the Sun forums, because some
    > 'delicate soul' might find it offensive,
    > and report me. Here, thay can still get
    > offended, do as they please, and it affects
    > me not one bit. ;-)
    >
    > > I try to explain you my needs. I have this application in an Intranet
    > > environment.

    >
    > OK - thanks for confirming.
    >
    > Now I am not *sure* this will work, I
    > have not tried it myself, but..
    >
    > Perhaps you should try doing a 'silent
    > import' of the application.
    >
    > As I understand it, the 'import' aspect
    > gives you the power to install a web start
    > app. from the command line or script, and
    > with the added 'silent', it should (AFAIU)
    > remove those dialogs.
    >


    But I wouldn't want a silent installation. JWS should trust the
    application sign because this signature is done through a certificate
    trusted by a rootCA certificate (and the subCA) that is in the client
    JWS store. I don't understand why the pop-up appears anyway!

    If JWS works as a Web Browser, rootCA certificate in the browser
    certificate store should trust SSL connection and no pop-up appears.

    So why for javaws the pop-up appear anyway?


    Sorry for TOP POSTING ;-)

    thanks

    ken

    > See the docs. for the javaws tool, for
    > details on using those options.
    >
    > I'd be interested to hear how it goes..
    >
    > Andrew T.
    kenshiro2000, Mar 28, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. skrobul
    Replies:
    0
    Views:
    846
    skrobul
    May 18, 2009
  2. albert kao
    Replies:
    3
    Views:
    1,978
    Arne Vajhøj
    Feb 2, 2011
  3. Innokentiy Ivanov

    SSL client auth: access the entire certificate chain

    Innokentiy Ivanov, Feb 8, 2006, in forum: ASP .Net Security
    Replies:
    6
    Views:
    226
    Robson Carvalho Machado
    Apr 27, 2006
  4. Helena Cai
    Replies:
    0
    Views:
    377
    Helena Cai
    Aug 29, 2004
  5. Replies:
    0
    Views:
    397
Loading...

Share This Page