I am tasked with deploying Java 7 Update 55 along with a Java Deployment Rule Set to all Active Directory Windows clients. I've managed to get a solid Java software deployment setup but I'm now struggling to deploy the Deployment Rule Set along with it so that Java can be configured properly. I'm getting hung up on signing the DeploymentRuleSet.jar file. I have an Active Directory Certificate Services server handing out certificates to all clients and I would like to use a cert issued by this CA.
Every time I go through the steps in this link and I copy my signed DeploymentRuleSet.jar file to a client and attempt to run an allowed Java applet, I'm consistently getting the error: "Can not verify self-signed Deployment Rule Set jar".
Here is the exact order I've performed the actions I think should do this but doesn't:
- I created my ruleset.xml file based on the template provided here.
- I downloaded and installed the JDK v1.7.0.60.
- I copied the ruleset.xml file to the JDK's bin folder.
- I created the DeploymentRuleSet.jar file by issuing:
jar -cvf DeploymentRuleSet.jar ruleset.xml
- I generated a new keystore and key:
.\keytool.exe -genkey -alias mykey -keyalg RSA -keysize 2048 -keystore keystore.jks -storepass changeit
- I generated a CSR:
keytool -certreq -alias mykey -file csr.csr -keystore keystore.jks -storepass changeit
- I extracted the private key from the keystore:
keytool -v -importkeystore -srckeystore keystore.jks -srcalias mykey -destkeystore myp12file.p12 -deststoretype PKCS12
- I renamed the private key to a Windows-friendly extension:
rename myp12file.p12 myp12file.pfx
- I confirmed my CA has an active CodeSigning template.
- I signed the CSR with the template:
C:\Windows\system32\certreq.exe -submit -attrib "CertificateTemplate:GeneralCodeSigning" csr.csr mykey.cer myp12file.pfx
- I RDPed to the CA and exported out the cert in it's Computer personal store with the certificate template of "Root Certification Authority". I believe this is the "root CA" cert. I saved this in the JDK's bin folder as ca-cert.cer.
- I imported the signed key and the root CA cert into the keystore:
.\keytool.exe -importcert -keystore keystore.jks -file ca-cert.cer -alias CARoot -storepass changeit
- I signed the JAR file:
.\jarsigner.exe -keystore keystore.jks -storepass changeit DeploymentRuleSet.jar myKey
- I appended the signing key to the root CA cert using Powershell:
Get-Content .\mykey.cer | % { Add-Content -Value $_ -Path .\ca-cert.cer}
- I imported the combined certs into the keystore:
keytool -importcert -keystore C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\security\cacerts -storepass changeit -alias mykey -file ca-cert.cer -noprompt
- I imported the root CA into the keystore:
.\keytool.exe -importcert -keystore C:\users\user\AppData\LocalLow\Sun\Java\Deployment\security\cacerts -storepass changeit -alias myKey -file .\ca-cert.cer -noprompt
- I copied the DeploymentRuleSet.jar file to a client into the C:\Windows\Sun\Java\Deployment folder.
- I requested the user code signing cert from the CA on the client and installed it.
- I opened up the Java Control Panel and went to the Security tab. I confirmed I have the "View the active Deployment Rule Set" link.
- I clicked on Manage Certificates in the Java Control Panel and on the System tab. I then changed the certificate type to Signer CA but I could NOT find any cert that I created in here. Should it be in here somewhere?
This is when I went to a URL that is supposed to be allowed and received the self-signed cert problem. As you can tell, I've been over this MANY times. I would so appreciate any assistance.
Best Answer
A couple of things you'll need to do.