Java Deployment Rule Set via AD Enterprise CA

ad-certificate-servicescertificatejava

My goal is to get a Java Deployment Rule Set in place in my organization, but I do not want to pay third-party certificate authority for a code signing cert when we have a working CA running through Active Directory. I have followed what I think is the correct procedure to get this accomplished, however when I finally go to run any Java applet I receive the following error:

Can not verify self-signed Deployment Rule Set jar

The steps I followed are:

  1. Exported our root CA certificate
  2. Imported root certificate into cacerts in JRE install path
  3. Imported root certificate into a personal keystore
  4. Generated a CSR with keytool for a new cert with personal keystore
  5. Submitted CSR to enterprise CA using certreq, with the "Code Signing" template
  6. Imported that cert into the personal keystore
  7. Created a very basic deployment rule set and compiled it into a jar
  8. Signed the jar with the cert in the personal keystore from step 6
  9. Copied the signed jar into \Windows\Sun\Java\Deployment\

The above steps all completed without error – nothing about invalid certificate chains or the like. I can see the root CA cert in the Java control panel and when I click on the Deployment Rule Set link in the control panel and view its cert, I see the cert from step 6 and it's parent CA, both of which have future expiration dates and correct information as far as I can tell. But I still receive the verification error when running any applet

So – is it simply not possible to do this, and we have to pay for a cert? Or am I (hopefully) doing something incorrectly? If anyone has any insight it would be greatly appreciated, thanks!

Best Answer

Fix found.

We had the exact same problem. I tried everything mentioned above and nothing work. Chrome does not seem to be pulling Windows Certificate manager properly or at least to verify the signature from our Enterprise CA. I tried adding our Root CA certificate and ever our Subordinate CA certificate to all system keystores unsuccessfully.

The issue is Chrome is only looking at the user keystores, not at the system keystores for some odd reason. After I added the RootCA certificate to the USER SIGNER CA, it worked.

Doesn't work: %JAVA_HOME%\lib\security\cacerts

Works: %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts

Google or JAVA should fix this issue.

Now time to script the injection for our users.

Related Topic