Im sitting with a bit of a problem. Im busy creating a php/html website (intranet) for our support team to make life a bit easier when support linux machines.
I have a .jar app called mindterm (the free version) and want to run it as an applet in the site.
However according to their site you have to have the .jar file signed before loading it as an applet otherwise it cant open tcp connections.
So i did as much research as i could in the time i had and came up with the jarsigner.exe and keytool.exe files provided in the JDK installation.
However i do not have a clue how to go about signing this app so that i can actually use it.
Any help?
Thanks
First create a key-pair using keytool.
keytool -genkey -alias somekeyname
Then use jarsigner to sign it with the key you just created.
jarsigner /path/to/jar somekeyname
Note, you need to use the same alias (somekeyname here) as the one you create the key with.
Now, since the certificate is self-signed, the user of your applet will be prompted to approve the certificate. Once they do so, your tcp connections should work.
Since I assume you're only using the applet internally in your organization, self-signed certs should be fine. Otherwise you will have to pay for a certificate. In that case, your users will not need to accept the certificates after the first time (if they choose Always Allow").
You can sign jars using :
Install this Eclipse plugin
Eclipse Webstart Plugin.
You will just need to export as "Webstart". It will prompt you to sign the jars.
DEMO
Combined the top answer with some useful hints to get completely unattanded script:
keytool -genkey -noprompt -alias Alias -dname "CN=Hostname, OU=OrganizationalUnit, O=Organization, L=City, S=State, C=Country" -keystore path.to.keystore -storepass password -keypass password -validity 3650
jarsigner -keystore path.to.keystore -storepass password -keypass password -signedjar signed.jar unsigned.jar Alias
This is a somewhat complex area, and you essentially need to know what you are doing, and you may have to pay real money for a signing certificate.
The Sun Java Tutorial cover the topic well: http://docs.oracle.com/javase/tutorial/deployment/jar/signing.html
If the intent is to give the support people a ssh client, there might be better solutions.
Related
I am using SAP Commerce Cloud, in Public Cloud. And I am trying to insert a .cer file to make rest calls to API Gateway.
I read about importing it in java using command lines to import to keystore.
But, I don't know how to do it in the SAP Commerce Cloud
To install a certificate in a keystore. please follow the steps -
Create the keystore (if not created) using the below command
keytool -importkeystore -srckeystore /<path_to_the_pfx>/<pfx_name>.pfx -srcstoretype pkcs12 -destkeystore /<path_to_the_keystore_to_be_created>/<name_of_the_keystore>.jks -deststoretype JKS
You can control the keystore credentials as below:
a) sso.keystore.location - The path to the keystore (in this way the keystore can be repo managed)
b) sso.keystore.password - keystore password (default is changeit)
c) sso.keystore.privatekey.alias - Alias of the private key
Import the certificate using the below command
keytool -importcert -alias <alias_of_the_certificate> -file /<path_of_the_cert>/<name_of_the_cert>.cer -keystore /<path_to_the_keystore_to_be_created>/<name_of_the_keystore>.jks
To remind again, the keystore (with the installed certificate) can be repository controlled as well using the sso.keystore.location.
Alsternatively, if your question is to enable the REST calls from the Commerce cloud environment, please follow the steps mentioned here.
Hope this helps.
Using ionic app I have released my first version. So its crossed ore than 10,000 downloads and user are using my app. Now I want to release some update with my app. So I release the unsigned apk, but when I do this step :
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore HelloWorld-release-unsigned.apk alias_name
it was asking the password for my-release-key.keystore but I forgot the password. Please give me some solution.
I tried to create new
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
But when I release the update and upload in app store, I am getting the error last update certificate is not match with this build. When I Google it, it's because of the newly generated my-release-key.keystore.
According to this SO questions accepted answer there is no way to retrieve a lost keystore password.
But in some of the more recent non-accepted answers people claim to have found solutions to retrieve lost keystore passwords. Maybe you want to check those out?
If you don't get a hold of the lost password the only thing you can do is to re-submit (unpublish current app and publish a new one with the same title and description) your app with a newly created keystore. If that is the case, be sure to store your password in a secure location :)
Sometimes you can find the password in the following temp Gradle file:
<YourProjectRoot>\platforms\Android\.gradle\<version>\taskArtifacts\taskArtifacts.bin
Open that file with a plain text editor and search for "password". You should see it there in plain text. Please note it may have some special characters around it, but you will probably recognize the characters you used for the password originally.
I hope this helps!
I'm currently creating an Android app, which is supposed to send a POST request to a server. Unfortunately, the server is using self-signed certificate. So I have to create a PKCS12 keystore, which will include the CA Certificate, and make my App use that keystore.
To create such a keystore, I'm currently using the command below:
keytool -import -trustcacerts -alias my-alias -file cacert.pem
-keystore mykeystorefile -storetype PKCS12
Unfortunately the keystore doesn't work. (Request fails on SSL handshake.)
When I inspected the keystore using this command:
keytool -list -v -keystore mykeystorefile
I noticed a strange line at the very end of this list.
#8: ObjectId: 2.5.29.18 Criticality=false
Unparseable IssuerAlternativeName extension due to
java.io.IOException: No data available in passed DER encoded value.
0000: 30 00 0.
*******************************************
*******************************************
Keytool failed to parse an extension, which is part of the CA certificate.
I tried the same for LetsEncrypt's CA certificates and it worked just fine.
I'd be glad for any pointers on how to approach and solve this problem.
Thanks.
Edit: Keytool I'm currently using is part of java-8-openjdk.
Edit2: So after inspecting the ca certificate, Issuer Alternative Name extension doesn't have any value. Wondering if there is a way how to skip that extensions?
There is no way to skip anything that's on a certificate.
If the Issuer Alternative Name is blank, whoever generated that certificate has generated it wrong. If it is a self-signed certificate, the Issuer Alternative Name and the Subject Alternative Name are the same value. If it is signed by any CA, the CA's Subject Alternative Name is put in the end user's Issuer Alternative Name.
You might need to ask them for the right CA certificate.
My Need is to accept the SSL certificate enabled on REST Webservice URL ( https:/:/dctm-rest) from standalone Java application(which will be bundled as JAR).
To my knowledge best way is to create KeyStore/TrustStore using Keytool, download the certificate from browser/openssl and add it to TrustStore.With this we are creating a dependency and someone has to keep on updating the certificate for every renewal.
Can someone guide me to get this implemented by removing the manual dependency?
You have to include the server certificate at https://dctm-rest into the whitelist of your JRE (the truststore)
Options
1) Include the server certificate in JRE trustore (jre/lib/security/cacerts) (Not recommended)
To download the server certificate, open site with browser, right-click on green lock, select 'view certificate' and download
The simplest way to explore cacerts and import trusted certificate is to use a GUI tool like portecle (http://portecle.sourceforge.net/). You can also use keytool
keytool -import -trustcacerts -keystore /opt/java/jre/lib/security/cacerts -alias mycert -noprompt -storepass changeit -file /tmp/examplecert.crt
See How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?
2) Use your own truststore and include the server certificate (recommended)
System.setProperty ("javax.net.ssl.trustStore", path_to_your_trustore_jks_file);
System.setProperty ("javax.net.ssl.trustStorePassword", "password");
You can also create an SSLSocketFactory and add to your connection before connecting or apply to all connections using the static method
HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory);
This is an example to create the socket factory
//Load JKS keystore that includes the server certificate or the root
KeyStore keyStore = ...
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);
sslFactory = ctx.getSocketFactory();
3) Do not use truststore at all (Not recommended at all)
See Disable SSLHandshakeException for a single connection (I will not copy the solution)
I noticed that in the keytool documentation it reads
"jarsigner [...] checks whether or not the public key of that certificate is 'trusted', i.e., is contained in the specified keystore."
whereas the jarsigner manpage states
"A keystore is not required when verifying [...]", and that the utility will always verify against the certificate supplied with the jar.
In the way I see it that would kind of defeat the purpose, since it would only certify that the jar was not altered since it was signed but not that it was signed by some specific authority/supplier.
Is there some way to make the verification fail if the certificate used to sign the jar is not known/trusted on the runtime system?
Or do I have to use a script to call
jarsigner -verify -verbose -keystore ...
and parse the output to see whether there is an entry for the signing certificate in the local (runtime) keystore?
Confused,
Peter
jarsigner utility is quite useless for JAR signature verification, as it does not verify the signer certificate, does not check trusted timestamps on the signature and does not provide usable result (parsing console output is not a good solution).
To avoid this limitations we have chosen to write our own verify_jar utility.