Forum Home > Signed Applets Topic: 10 Steps to create a digital certificate and sign an applet

You are not signed in.   Search Forum

This topic has 207 replies on 14 pages [ 1  2  3  4  5  6 | ]

(Most recent message: May 12, 2003 10:51 AM)

10 Steps to create a digital certificate and sign an applet Author: irene67 Jul 27, 2000 8:17 AM   These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer). The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java... 1. Create your code for the applet as usual. It is not necessary to set any permissions or use security managers in the code. 2. Install JDK 1.3 Path for use of the following commands: [jdk 1.3 path]\bin\ (commands are keytool, jar, jarsigner) Password for the keystore is *any* password. Only Sun knows why... perhaps ;-) 3. Generate key: keytool -genkey -keyalg rsa -alias tstkey Enter keystore password: ******* What is your first and last name? [Unknown]: Your Name What is the name of your organizational unit? [Unknown]: YourUnit What is the name of your organization? [Unknown]: YourOrg What is the name of your City or Locality? [Unknown]: YourCity What is the name of your State or Province? [Unknown]: YS What is the two-letter country code for this unit? [Unknown]: US Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US correct? [no]: yes (wait...) Enter key password for tstkey (RETURN if same as keystore password): (press [enter]) 4. Export key: keytool -export -alias tstkey -file tstcert.crt Enter keystore password: ******* Certificate stored in file tstcert.crt 5. Create JAR: jar cvf tst.jar tst.class Add all classes used in your project by typing the classnames in the same line. added manifest adding: tst.class(in = 849) (out= 536)(deflated 36%) 6. Verify JAR: jar tvf tst.jar Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/ 68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class 7. Sign JAR: jarsigner tst.jar tstkey Enter Passphrase for keystore: ******* 8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar 130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF 183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF 920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/ smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US (tstkey) s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. 9. Create HTML-File for use of the Applet by the Sun Plugin 1.3 (recommended to use HTML Converter Version 1.3) 10. Place a link to the .crt file (created in step 4) in the HTML-File. This .crt file has to be opened by the browser and has to be set to trusted, as the root CA for testing is not known to the browser. For use with "real" certificates, this step should not be necessary. I needed two long days, to find out these steps. As the documentation at Sun and other Sites is more confusing than clarifying (due to the hundreds of java, plugin and browser versions), i post the steps here. I hope that others may reach the goal in less time ;-) I'm working on Microsoft platforms and did not test the steps elsewhere.

10 Steps to create a digital certificate and sign an applet Author: yernenir In Reply To: 10 Steps to create a digital certificate and sign an applet Jul 31, 2000 5:13 AM   Reply 1 of 207

Hi Irene! Tremendous work, keep it up... cheers

10 Steps to create a digital certificate and sign an applet Author: Fdepe In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 10, 2000 1:16 AM   Reply 2 of 207

Hi Irene, I have a trouble with the instruction: keytool -genkey -keyalg rsa -alias pippo keytool asks me for the password: any password I thought, but this is what I get: keytool error: java.io.IOException: keystore was tampered with, or password was incorrect I am using JDK1.3 Reguards Fdepe

10 Steps to create a digital certificate and sign an applet Author: irene67 In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 10, 2000 6:32 AM   Reply 3 of 207

Hi Fdepe Sorry, no idea. I had also an exception, but only with JDK1.2. Did you use keytool on the same machine before, with another password? Then try this. Or try the password of the actually logged-in user. There could be a minimum length for the password, but keytool would report this exactly. I would try it on another machine (if possible), or search the forums for this specific exception message. Or search the bug list, as there are many bugs reported concerning keytool. Regards Irene

10 Steps to create a digital certificate and sign an applet Author: pboysen In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 10, 2000 10:13 AM   Reply 4 of 207

Irene, Your instructions were excellent and I got the self-signing to work. However, when I got an official certificate it doesn't work. The problem is that to have the whole certificate chain, you need it in PKCS#7 format. Unfortunately, none of the browsers or keytool understand that. I heard of someone converting from PKCS#7 to X.509 using openssl but that seems like a lot of trouble. Have you had luck with a certificate a CA?

10 Steps to create a digital certificate and sign an applet Author: irene67 In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 10, 2000 10:49 AM   Reply 5 of 207

Hi I did not get a real certificate yet. But there's a tool from Microsoft ;-) , which should be able to convert certificates. Have a look at this link: http://www.microsoft.com/Java/sdk/40/pg/tools_swd_certmgr.htm Regards Irene

10 Steps to create a digital certificate and sign an applet Author: jv_tech In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 10, 2000 9:14 PM   Reply 6 of 207

Dear Irene, Thanks for your procedure and I can successfully get the browser prompt for Grant Permission. But The Applet cannot init. successfully. It's show the error as follow when I use appletviewer to exec my applet. The error is as follow : F:\****\ibc\src\xproject>appletviewer kan_xftp.html java.lang.UnsatisfiedLinkError: initPolicyEngine at com.ms.security.PolicyEngine.<clinit> (PolicyEngine.java) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Compiled Code) at xftp.init(xftp.java:102) at sun.applet.AppletPanel.run(Compiled Code) at java.lang.Thread.run(Thread.java:479) java.lang.NoClassDefFoundError: com/ms/security/PolicyEngine at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Compiled Code) at xftp.init(xftp.java:102) at sun.applet.AppletPanel.run(Compiled Code) at java.lang.Thread.run(Thread.java:479) line 102 is public void init() { 100: try{ 101: // Do security in MS way 102: if (Class.forName("com.ms.security.PolicyEngine") != null) 103: { 104: PolicyEngine.assertPermission (PermissionID.NETIO); 105: PolicyEngine.assertPermission (PermissionID.FILEIO); 106: PolicyEngine.assertPermission (PermissionID.PROPERTY); 107: PolicyEngine.assertPermission (PermissionID.EXEC); } Have you experience of this error? I have trace it for a few days!! Thanks! ****

10 Steps to create a digital certificate and sign an applet Author: TristanB In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 10, 2000 9:36 PM   Reply 7 of 207

I am still a little confused about applet signing. All of the "<i>n</i> steps to sign an applet" type tutorials I have seen differ I many ways. 1) I followed the steps above but was unsure about the last one. Once you place a link to a certificate, what then? I will eventually use a proper certificate but I still don't understand how to do this step, or what it's purpose is. 2) Also, once it is signed, how do I get rid of the warning bannner, grant permissions, etc? 3) My applet is in 3 JAR's. Do I have to sign them all? Thanks for any help you can provide, Tristan.

10 Steps to create a digital certificate and sign an applet Author: Fdepe In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 10, 2000 11:59 PM   Reply 8 of 207

Hi Irene, thank you for your response: I have resolved my problem removing the keytool cache... I still have some doubts on signing my applet, as I can't make it working: 1) I developed this applet which needs to run outside the sandbox on my intranet, so whithout signing I should grant anybody of my users to surf the Extranet granting any applet to behave as it likes (this is not a safe way). 2) I need to sign this applet (this is the safe way), but even after signing it following your very useful explanation I can't get it working. Perhaps I missed something concerning policies on the local achine? How do I refer to my signing? How about to pop up menu clicking on the link (thank you for the HTML code ;-))? I find a download window,I accept downloading then I get another one asking me for installing my crt file on the local security cache. I can later verify the installation on my browser: I figure among the secure sources... Is it right? happy to know somebody got it: great! I was hopeless before reading this forum. I hope to get it, too. Thank you Regards

10 Steps to create a digital certificate and sign an applet Author: irene67 In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 11, 2000 6:09 AM   Reply 9 of 207

Hi **** As mentioned, i do not use any browser's security. I use only the plugin. This way, there's no security related code necessary. If self-signed, the certificate needs to be imported manually in the browser (via a normal http-link to the certificate file). Then the plugin pops up the dialog for 'grant once/grant ever/deny'. Regards Irene

10 Steps to create a digital certificate and sign an applet Author: irene67 In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 11, 2000 6:20 AM   Reply 10 of 207

Hi Tristan If you use a proper certificate, the last step is not necessary. It is only necessary, if the certificate is self-signed, because the certificating authority is not known to your machine. Once you've placed a link to the self-signed certificate, then click on this link. The browser will eventually ask you wether to open or save the file. Select 'open', then the system will show a dialog allowing you to import this certificate as trusted. After it is signed and the certificate has been imported as trusted, the warning banner no longer appears and the applet runs out of the sandbox. No action to grant permissions is necessary. > 3) My applet is in 3 JAR's. Do I have to sign them all? Don't know at all. I would say, the jars containing classes which act security-related, need to be signed. But i would pack all classes into one jar. Regards Irene

10 Steps to create a digital certificate and sign an applet Author: irene67 In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 11, 2000 6:36 AM   Reply 11 of 207

Hi Fdepe I don't think you missed something, and you do not need to refer to the signing. After a certificate is imported as trusted, you should see it in the systems certificate store, between all the big 'real' authorities ;-) > I find a download window,I accept downloading then I get I selected not download, but 'open', then the certificate store was displayed and i could intall it as trusted. Rest see above. Make sure your browser starts the plugin (you can verify this when you enable the java console window). The plugin will realize that the certificate in this jar is trusted, and will pop up the dialog asking you wether to grant or not. After that, no more security related exceptions should be possible. Attention: for some actions (connections), the applet needs to be loaded via http, not via file (not locally). Regards Irene

10 Steps to create a digital certificate and sign an applet Author: ksrinus In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 12, 2000 5:13 AM   Reply 12 of 207

10 steps to create a digital cetificate and sign an applet irene67 wrote: >These steps describe the creation of a self-signed applet. >This is useful for testing purposes. For use of public reachable applets, >there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer). > >The applet needs to run in the plugin, as only the plugin is platform- and browser-independent. And without this indepence, it makes no sense to use java... > >1. Create your code for the applet as usual. > It is not necessary to set any permissions or use security managers in > the code. > >2. Install JDK 1.3 > Path for use of the following commands: [jdk 1.3 path]\bin\ > (commands are keytool, jar, jarsigner) > Password for the keystore is *any* password. Only Sun knows why... > perhaps ;-) > >3. Generate key: keytool -genkey -keyalg rsa -alias tstkey > Enter keystore password: ******* > What is your first and last name? > [Unknown]: Your Name > What is the name of your organizational unit? > [Unknown]: YourUnit > What is the name of your organization? > [Unknown]: YourOrg > What is the name of your City or Locality? > [Unknown]: YourCity > What is the name of your State or Province? > [Unknown]: YS > What is the two-letter country code for this unit? > [Unknown]: US > Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US > correct? > [no]: yes > > (wait...) > > Enter key password for tstkey > (RETURN if same as keystore password): > > (press [enter]) > >4. Export key: keytool -export -alias tstkey -file tstcert.crt > > Enter keystore password: ******* > Certificate stored in file tstcert.crt > >5. Create JAR: jar cvf tst.jar tst.class > Add all classes used in your project by typing the classnames in the > same line. > > added manifest > adding: tst.class(in = 849) (out= 536)(deflated 36%) > >6. Verify JAR: jar tvf tst.jar > > Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/ > 68 Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/MANIFEST.MF > 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class > >7. Sign JAR: jarsigner tst.jar tstkey > Enter Passphrase for keystore: ******* > >8. Verifiy Signing: jarsigner -verify -verbose -certs tst.jar > > 130 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/MANIFEST.MF > 183 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.SF > 920 Thu Jul 27 13:04:12 GMT+02:00 2000 META-INF/TSTKEY.RSA > Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/ >smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class > > X.509, CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US > (tstkey) > > s = signature was verified > m = entry is listed in manifest > k = at least one certificate was found in keystore > i = at least one certificate was found in identity scope > > jar verified. > >9. Create HTML-File for use of the Applet by the Sun Plugin 1.3 > (recommended to use HTML Converter Version 1.3) > >10. Place a link to the .crt file (created in step 4) in the HTML-File. > This .crt file has to be opened by the browser and has to be set to > trusted, > as the root CA for testing is not known to the browser. For use with > "real" certificates, this step should not be necessary. > >I needed two long days, to find out these steps. As the documentation at Sun and other Sites is more confusing than clarifying (due to the hundreds of java, plugin and browser versions), i post the steps here. I hope that others may reach the goal in less time ;-) > >I'm working on Microsoft platforms and did not test the steps elsewhere. > >

10 Steps to create a digital certificate and sign an applet Author: arunmv In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 12, 2000 2:26 PM   Reply 13 of 207

Could you suggest a solution asap. Thanx vijay

10 Steps to create a digital certificate and sign an applet Author: rajagopalv In Reply To: 10 Steps to create a digital certificate and sign an applet Aug 14, 2000 8:28 AM   Reply 14 of 207

Hi I could make Netscape access my applet from the server machine, That is, when i put the files on teh server and access Netscape from the Server, it works fine. But when i access it from teh clients, it gives me a Security Error.

This topic has 207 replies on 14 pages [ 1  2  3  4  5  6 | ]

 

NOTICE TO USERS OF THIS SITE: By continuing to use this site, you certify that you have read and agree to abide by Sun's "Terms Of Use" which are linked to this site at the bottom of the page. Any users of this site who state that they work for Sun Microsystems, Inc. are deemed to be doing so solely for identification purposes. All information, data, text, software, music, sound, photographs, graphics, video, messages, or other materials ("Content") posted to this site by any users are the sole responsibility of those users. Sun does not guarantee the accuracy, integrity, or quality of such Content. Posting a name in a discussion forum places that personal information into a public forum.