Self-signed Certificates and Plugin1.3.0+

M. Gallant 01/06/2002

[Working example signed with self-signed certificate]
Companies and enterprises developing powerful Java applet code for Internet and intranet distribution need to use digital-signature technology to securely distribute the code, and to empower the applets with privileges traditionally only available to stand-alone applications. Developers eager to evaluate this technology typically use various vendors' tools. For code-signing Java code, a X509v3 code-signing certificate is required. For greatest transparency to end users running the code delivered via web pages, the code-signing certificate should be a commercial Class 3 code-signing certificate, issued by a reputable Certificate Authority (CA), such as VeriSign, Thawte etc.. However, many developers evaluate the technology by using test "self-signed" certificates which can be generated by the vendor tools (signtool.exe from Netscape and keytool.exe from Sun). At the present time, the self-signed code-signing certificates generated by signtool version 1.3 can be used to sign JAR archives, but only for deployment to Netscape's own JVM with the Netscape web browser. JAR archives signed with signtool-generated certificates are not compatible with the security manager/JAR authenticator associated with JavaPlugin1.3.0+.

However, the J2SE1.3.0+ security tools can be used to generate RSA key pairs for code-signing purposes which can be used as-is as self-signed certificates for signing JAR archives targetting JavaPlugin-enabled browsers. These certificates eventually should be sent as pkcs#10 certificate requests to a commercial CA to create a properly "authenticated" CA-issued cert. The procedure is described under keytool documentation. However, for evaluation purposes, the certificate can be used as a self-signed certificate, provided the procedure appended below is followed. The details below are captured command-line responses to the various steps employed, on Win2000 Pro:

Properly RSA-signed Java code will present an "all or nothing" security choice to end users, provided that Plugin1.2.2+ is specified in the html code and provided that the following permission entry is not present in the end users local Java2 policy file:
    permission java.lang.RuntimePermission "usePolicy";

For information below, and on Win2000, NT4 and Win95, the files: "cacerts", "java.policy" and "java.security" are in the directory: C:\Program Files\JavaSoft\JRE\1.3.0+_02\lib\security For Win2000, the files: ".java.policy" and ".keystore" are in the directory: C:\Documents and Settings\userid ------------- Generate RSA key pair in default .keystore file with J2SE1.3.0_02 tools --------------------- C:\Documents and Settings\mgallant\desktop>c:\jdk1.3.0_02\bin\keytool -genkey -keyalg rsa -alias migkey Enter keystore password: XXXXXX What is your first and last name? [Unknown]: Michel Gallant What is the name of your organizational unit? [Unknown]: Home What is the name of your organization? [Unknown]: JavaDevelopment What is the name of your City or Locality? [Unknown]: Ottawa What is the name of your State or Province? [Unknown]: ON What is the two-letter country code for this unit? [Unknown]: CA Is <CN=Michel Gallant, OU=Home, O=JavaDevelopment, L=Ottawa, ST=ON, C=CA> correc t? [no]: y Enter key password for <migkey> (RETURN if same as keystore password): ------------- Export public self-signed certificate ----------------- C:\Documents and Settings\mgallant\desktop>c:\jdk1.3.0_02\bin\keytool -export -alias migkey -file migsuncert.crt Enter keystore password: xxxxxx Certificate stored in file <migsuncert.crt> ------------- Create JAR archive with jar.exe --------------- C:\Documents and Settings\mgallant\desktop>c:\jdk1.3.0_02\bin\jar cvf j22classpath.jar j22classpath.class added manifest adding: j22classpath.class(in = 1363) (out= 785)(deflated 42%) ------------- Sign JAR archive with self-signed certificate ----- C:\Documents and Settings\mgallant\desktop>c:\jdk1.3.0_02\bin\jarsigner j22classpath.jar migkey Enter Passphrase for keystore: xxxxxxxxxxx ------------- Verify signature ---------- C:\Documents and Settings\mgallant\desktop>c:\jdk1.3.0_02\bin\jarsigner -verify -verbose -certs j22classpath.jar 142 Sun Mar 25 18:13:14 PST 2001 META-INF/MANIFEST.MF 195 Sun Mar 25 18:13:14 PST 2001 META-INF/MIGKEY.SF 941 Sun Mar 25 18:13:14 PST 2001 META-INF/MIGKEY.RSA 0 Sun Mar 25 18:08:48 PST 2001 META-INF/ smk 1363 Sun Mar 25 16:36:48 PST 2001 j22classpath.class X.509, CN=Michel Gallant, OU=Home, O=JavaDevelopment, L=Ottawa, ST=ON, C=C A (migkey) s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. ------------- Import self-signed certificate to Sun cacerts database file ------------ C:\Documents and Settings\mgallant\desktop>c:\jdk1.3.0_02\bin\keytool -import -alias suntestcert -keystore cacerts -file migsuncert.crt Enter keystore password: xxxxxxxxxxxx Owner: CN=Michel Gallant, OU=Home, O=JavaDevelopment, L=Ottawa, ST=ON, C=CA Issuer: CN=Michel Gallant, OU=Home, O=JavaDevelopment, L=Ottawa, ST=ON, C=CA Serial number: 3abea2e6 Valid from: Sun Mar 25 18:01:10 PST 2001 until: Sat Jun 23 19:01:10 PDT 2001 Certificate fingerprints: MD5: CF:B8:25:CF:7E:64:6C:43:04:86:D9:18:A0:7A:D9:8D SHA1: B7:5B:CE:2F:3C:EC:63:33:18:C8:F4:6B:B1:06:8F:CD:9E:F9:1E:25 Trust this certificate? [no]: y Certificate was added to keystore (Place cacerts and public certificate file in current directory, run keytool and place cacerts file back in original directory; always back up cacerts file before making changes. For Plugin1.3.0 and lower, import this cacerts file into MS cryptoAPI CA certs database using IE security panels, or Authenticode5 tool "certmgr.exe") ------------- Verify that cert has been added to cacerts file -------------- C:\Documents and Settings\mgallant\desktop>c:\jdk1.3.0_02\bin\keytool -list -v -keystore cacerts Enter keystore password: xxxxxxx Keystore type: jks Keystore provider: SUN Your keystore contains 13 entries: Alias name: suntestcert Creation date: Sun Mar 25 18:56:38 PST 2001 Entry type: trustedCertEntry Owner: CN=Michel Gallant, OU=Home, O=JavaDevelopment, L=Ottawa, ST=ON, C=CA Issuer: CN=Michel Gallant, OU=Home, O=JavaDevelopment, L=Ottawa, ST=ON, C=CA Serial number: 3abea2e6 Valid from: Sun Mar 25 18:01:10 PST 2001 until: Sat Jun 23 19:01:10 PDT 2001 Certificate fingerprints: MD5: CF:B8:25:CF:7E:64:6C:43:04:86:D9:18:A0:7A:D9:8D SHA1: B7:5B:CE:2F:3C:EC:63:33:18:C8:F4:6B:B1:06:8F:CD:9E:F9:1E:25 ******************************************* ******************************************* etc .....