In trying to work with the heightened restrictions of Java 7, I have been attempting to use a self-signed CA (Certificate Authority) and sign a jar file with its public key.
I have followed these steps:
Create key and CA using openssh
Export key in pkcs12 format
Import pkcs12 formatted key into keystore
Sign jar file
(I used openssh to create the root CA because the root CA created with keytool alone was not importable into Firefox.)
I used this code:
openssl genrsa -des3 -out aaa-openssl.key 2048
openssl req -new -x509 -key aaa-openssl.key -out aaa-openssl.crt -subj '/C=US/O=AAA open ssl/CN=AAA open ssl Root' -days 365
openssl pkcs12 -export -in aaa-openssl.crt -inkey aaa-openssl.key -out keystore.pkcs12
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks #default alias "1"
keytool -list -v -keystore keystore.jks
cp keystore.jks ~/.keystore
jarsigner -storepass <password> JavaJar.jar 1
This seems to work fine without any errors
Then I import the root CA created with openssl into Firefox. I verify this has been done successfully in that I am able to view my certificate in Firefox Certificates > Authorities.
However, when I try to run the applet, I still am presented with the "UNKNOWN" publisher dialog, and have to accept the one-time run option (with the additional threat that in future versions of Java my applet with be blocked altogether).
In comparing the applet metadata form the prompt window with the certificate I imported, the SHA1 fingerprint and MD5 fingerprint both match.
There is a difference in the serial numbers, however, but I don't know if this is important.
I would appreciate some information regarding why I am not able to freely run my applet, and am still hanging up on the "UNKNOWN" publisher hitch.
Is it not possible to provide a publisher name when creating a self-signed CA?
Sorry, I haven't. I have only found information that leads me to believe that the day of using self-signed certs is soon passing, if it hasn't passed already. I believe that this is because the publisher is always going to be "UNKNOWN", and there is no way to change that if using self-signed:
It seems the days of allowing the user to decide for himself how he wants to use his computer are passed.