Java – Signing a Java Deployment Rule Set JAR using AD Certificate Services

ad-certificate-servicesjava

I am tasked with deploying Java 7 Update 55 along with a Java Deployment Rule Set to all Active Directory Windows clients. I've managed to get a solid Java software deployment setup but I'm now struggling to deploy the Deployment Rule Set along with it so that Java can be configured properly. I'm getting hung up on signing the DeploymentRuleSet.jar file. I have an Active Directory Certificate Services server handing out certificates to all clients and I would like to use a cert issued by this CA.

Every time I go through the steps in this link and I copy my signed DeploymentRuleSet.jar file to a client and attempt to run an allowed Java applet, I'm consistently getting the error: "Can not verify self-signed Deployment Rule Set jar".

Here is the exact order I've performed the actions I think should do this but doesn't:

  1. I created my ruleset.xml file based on the template provided here.
  2. I downloaded and installed the JDK v1.7.0.60.
  3. I copied the ruleset.xml file to the JDK's bin folder.
  4. I created the DeploymentRuleSet.jar file by issuing: jar -cvf DeploymentRuleSet.jar ruleset.xml
  5. I generated a new keystore and key: .\keytool.exe -genkey -alias mykey -keyalg RSA -keysize 2048 -keystore keystore.jks -storepass changeit
  6. I generated a CSR: keytool -certreq -alias mykey -file csr.csr -keystore keystore.jks -storepass changeit
  7. I extracted the private key from the keystore: keytool -v -importkeystore -srckeystore keystore.jks -srcalias mykey -destkeystore myp12file.p12 -deststoretype PKCS12
  8. I renamed the private key to a Windows-friendly extension: rename myp12file.p12 myp12file.pfx
  9. I confirmed my CA has an active CodeSigning template.
  10. I signed the CSR with the template: C:\Windows\system32\certreq.exe -submit -attrib "CertificateTemplate:GeneralCodeSigning" csr.csr mykey.cer myp12file.pfx
  11. I RDPed to the CA and exported out the cert in it's Computer personal store with the certificate template of "Root Certification Authority". I believe this is the "root CA" cert. I saved this in the JDK's bin folder as ca-cert.cer.
  12. I imported the signed key and the root CA cert into the keystore: .\keytool.exe -importcert -keystore keystore.jks -file ca-cert.cer -alias CARoot -storepass changeit
  13. I signed the JAR file: .\jarsigner.exe -keystore keystore.jks -storepass changeit DeploymentRuleSet.jar myKey
  14. I appended the signing key to the root CA cert using Powershell: Get-Content .\mykey.cer | % { Add-Content -Value $_ -Path .\ca-cert.cer}
  15. I imported the combined certs into the keystore: keytool -importcert -keystore C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\security\cacerts -storepass changeit -alias mykey -file ca-cert.cer -noprompt
  16. I imported the root CA into the keystore: .\keytool.exe -importcert -keystore C:\users\user\AppData\LocalLow\Sun\Java\Deployment\security\cacerts -storepass changeit -alias myKey -file .\ca-cert.cer -noprompt
  17. I copied the DeploymentRuleSet.jar file to a client into the C:\Windows\Sun\Java\Deployment folder.
  18. I requested the user code signing cert from the CA on the client and installed it.
  19. I opened up the Java Control Panel and went to the Security tab. I confirmed I have the "View the active Deployment Rule Set" link.
  20. I clicked on Manage Certificates in the Java Control Panel and on the System tab. I then changed the certificate type to Signer CA but I could NOT find any cert that I created in here. Should it be in here somewhere?

This is when I went to a URL that is supposed to be allowed and received the self-signed cert problem. As you can tell, I've been over this MANY times. I would so appreciate any assistance.

Best Answer

A couple of things you'll need to do.

  • Firstly, in the trust-stores for the java JVM has the certificate for the root CA in your PKI
    • both where the signed code will be executed and the box where you are doing the code-signing, which by default would be %JAVAHOME%/lib/security/cacerts
      • On Windows, this would usually be %PROGRAMFILES%\Java\jre7\lib\security\cacerts
    • Also it should be in the system trust-store for any boxes where you will execute that code
      • Windows: mmc.exe --> Certificates --> Computer Account --> Trusted Root Certification Authorities
      • RHEL: /etc/pki/tls/certs/
  • Secondly, make sure your code-signing certificate is setup to sign codes
    • It should have the Extended Key Usage "Code signing" (this may be numerically represented as OID 1.3.6.1.5.5.7.3.3 being present and set to true)
    • It should have the Key Usage include Digital Signature
    • It should have the Basic constraint "CA" set to false (this might also be listed as "Subject Type=End Entity"), and "critical" set to "true"
    • It should have a CDP (CRL distribution-point) listed and that should point to a valid HTTP or LDAP URL where the CRL is available (this lets you explicitly un-trust a code that is found to be inappropriate after it was signed)
Related Topic