3 Replies Latest reply on Oct 2, 2013 4:32 AM by user10882870

    Using self-signed CA for signed jar




      In trying to work with the heightened restrictions of Java 7, I have been attempting to use a self-signed CA (Certificate Authority) and sign a jar file with its public key.


      I have followed these steps:


      Create key and CA using openssh

      Export key in pkcs12 format

      Import pkcs12 formatted key into keystore

      Sign jar file


      (I used openssh to create the root CA because the root CA created with keytool alone was not importable into Firefox.)


      I used this code:


      openssl genrsa -des3 -out aaa-openssl.key 2048

      openssl req -new -x509 -key aaa-openssl.key -out aaa-openssl.crt -subj '/C=US/O=AAA open ssl/CN=AAA open ssl Root' -days 365

      openssl pkcs12 -export -in aaa-openssl.crt -inkey aaa-openssl.key -out keystore.pkcs12

      keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks    #default alias "1"

      keytool -list -v -keystore keystore.jks

      cp keystore.jks ~/.keystore

      jarsigner -storepass <password> JavaJar.jar 1


      This seems to work fine without any errors


      Then I import the root CA created with openssl into Firefox.  I verify this has been done successfully in that I am able to view my certificate in Firefox Certificates > Authorities.


      However, when I try to run the applet, I still am presented with the "UNKNOWN" publisher dialog, and have to accept the one-time run option (with the additional threat that in future versions of Java my applet with be blocked altogether).


      In comparing the applet metadata form the prompt window with the certificate I imported, the SHA1 fingerprint and MD5 fingerprint both match.


      There is a difference in the serial numbers, however, but I don't know if this is important.


      I would appreciate some information regarding why I am not able to freely run my applet, and am still hanging up on the "UNKNOWN" publisher hitch.


      Is it not possible to provide a publisher name when creating a self-signed CA?


      Thank you,


      Allasso Travesser