3

I developed an application that uses Java Webstart. It needs write access to the disk so it has to be signed, but it would only be used by a limited group of users so I don't want to pay for a trusted certificate.

What is the easiest option to let the users trust my application/self signed certificate? I don't want them to use keytool because it is not really user friendly. I though about creating a certificate that can be imported via the Java Control Panel and first tried creating an importable certificate using the following commands:

keytool -genkeypair -keystore patrickgotthard.jks -alias patrickgotthard
keytool -exportcert -keystore patrickgotthard.jks -alias patrickgotthard -file patrickgotthard.cer

But it is not possible to import the generated .cer file. Then I found Cannot import certificate into java control panel and used the following command:

keytool -genkey -alias patrickgotthard -keystore patrickgotthard.p12 -storetype pkcs12

But as far as I understand, the .p12 file also contains my private key - I don't think that the private key should be shared?! Can you tell me how to create a self signed certificate that can be imported via Java Control Panel but does not contain my private key? Or do you know a better solution for my problem?

Community
  • 1
  • 1
Patrick Gotthard
  • 1,101
  • 1
  • 8
  • 10

3 Answers3

2

In this scenario, it may be sufficient to check the SHA1 fingerprint associated with the self-signed certificate used to sign the JAR:

  • Sign the JAR with your self-signed certificate.

  • Use keytool -v -list to determine your certificate's fingerprint.

  • Communicate the certificate's fingerprint in a mutually agreed way.

  • Instruct user's to add your secure site to the Exception Site List in the Security tab of the Java Control Panel; this allows the user to retain the minimum recommended security level setting, High.

  • At the security prompt, click on More Information to compare the communicated fingerprint with the one received.

This approach does not confer trust, but it reduces the risk of the user accepting an altered JAR.

Addendum: The article Self-signed certificates for a known community discusses how to export a self-signed certificate. Members of the community can then import the certificate as warranted.

trashgod
  • 203,806
  • 29
  • 246
  • 1,045
1

I was developing Java Web Start app years ago with NetBeans. It did everything for me automatically. You just have to put permissions tags in JNLP file. Also 6 month after I had problems to create a new self-signed certificate. But self signed app still works. (many years after, no modification, certs to install) Clients do not have to install any certificates. It just warns everytime when it starts that is signed with self signed cert.

Max
  • 6,286
  • 5
  • 44
  • 86
  • 1
    That worked some time ago but Oracle changed the security rules with one of the Java 7 updates. Self-signed applications that need access to the clients computer doesn't work any more (out of the box). You are able to add an exception for the domain the application would be delivered from but the user would still get a security warning when installing the application. – Patrick Gotthard May 08 '14 at 06:28
1

Another option is to have this "limited group of users" lower the security level for Java. In Windows, you go to the Control Panel->Java and then one of the tabs is for Security (sorry on my mac right now and it is not quite the same). I believe that if you push that security level lower to Medium, you can get away with the self-signed certificate.

mikemil
  • 1,213
  • 10
  • 21