Import Java Trusted Certificate to JRE

I need to install a certificate from a Java app to a lot of people. I want to use a one click program or batch file to import it as a Trusted Certificate(in Control Panel->Security->Certificate). Then they won't need to press always allow first time they use the application.

I have extracted the needed certificate as both a .csr and as a .cer (the .csr via Control Panel and the .cer via keytool). Now I need to get one of them back without any clicking in menus.

I don't really understand the documentation of importing .cer with keytool and would like an example. Or are there an easier way than using keytool?

Zalastax

Posted 2011-05-10T18:15:43.787

Reputation: 136

Answers

A couple of examples on how to do this using "keytool"

The second link here has an example batch file:

@echo off
echo
echo This will import an X.509 SSL certificate into the keystore for the JVM
specified
echo
echo Press Control+C to abort.
pause
SETLOCAL

rem -------------------------------------------------
rem 1) Set the path to you JVM here
rem -------------------------------------------------
set JAVA_HOME=C:\j2sdk1.4.2_05

rem -------------------------------------------------
rem 2) SET THE CERTIFICATE NAME AND ALIAS HERE
rem -------------------------------------------------
set CERT_NAME=mycert.cer
set CERT_ALIAS=mycert

rem -------------------------------------------------
rem 3) SET THE KEYTOOL PASSWORD HERE
rem -------------------------------------------------
set KEYTOOL_PASS=changeit

rem -------------------------------------------------
rem DO NOT EDIT BELOW THIS LINE
rem -------------------------------------------------
set JAVA_SECURITY=%JAVA_HOME%\jre\lib\security
set CERT=%JAVA_SECURITY%\%CERT_NAME%
%JAVA_HOME%\jre\bin\keytool -import -trustcacerts -keystore %JAVA_SECURITY%\cacerts
-storepass %KEYTOOL_PASS% -noprompt -alias %CERT_ALIAS% -file %CERT%
ENDLOCAL
pause

Which part are you having trouble understanding? Is there a particular section that doesn't make sense? Do you need help with the batch file? Where, specifically, are you getting stuck? Perhaps I can help more specifically.

jefflunt

Posted 2011-05-10T18:15:43.787

Reputation: 277

Thanks for the Googling :( As I said I had problems understanding how to get it in. – Zalastax – 2011-05-10T18:25:00.850

I've updated my answer. – jefflunt – 2011-05-10T18:42:07.963

On the second page I think the main problem was the readability of the page. I will see if I can get it all trought – Zalastax – 2011-05-10T18:57:20.317

The problem I have now is that I don't know the password. What should enter? I didn't do anything with the certificate after I got it out from keytool. – Zalastax – 2011-05-10T19:06:50.597

I found the password out by looking in the batch file. But nothing seems to happen. After entering the right password I don't get any errors but cmd don't seem to do anything either. The certificate don't seem to be there either. – Zalastax – 2011-05-10T19:27:56.557

It seems like that batch isn't what I was looking for. It was for some sort of developing and didn't seem to work for my JRE. – Zalastax – 2011-05-10T19:38:00.173

The chain of trust concept for the Java keytool and signed apps expects the user to confirm trust by taking an affirmative action. In this case the user would import the public key related to the code publisher into their keystore which requires them to have a Java keystore and password related to same. See http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html section stating -

6: Import Certificate as a Trusted Certificate

Ray downloads SSignedApplet.jar and CompanyCer.cer to his home directory. Ray must now >create a keystore database (raystore) and import the certificate into it using the alias >company. Ray uses keytool in his home directory to do this:...

This presents a considerable challenge thus the default behavior is to run signed apps with the OK dialog you are trying to address. Remotely accessing/creating Java keystores for others is counter to the security design.

zedman9991

Posted 2011-05-10T18:15:43.787

Reputation: 186

We had a similar problem here trying to avoid certificate acceptance pop ups on signed applets. We found a fix, it's not pretty, but it seems to have worked so far. Every user has a trusted.certs keystore (depending on OS it's somewhere under <username>/AppData...Sun/Java/Deployment/trusted.certs) that is generated the first time they access an applet on the given machine. You can have a startup script replace this file for each user from somewhere central. To create the new trusted.certs file, we have just accepted the certs on a single machine that we want in there, and then copy that entire trusted.certs keystore over to the new machine.

Loading into the central certs keystore for the JRE did not work for us, so we went this other route. It's ugly, and if you had the password to that keystore you could also set that via batch script as above, but is what we did.

This approach made the most sense to us since it worked on a user by user basis, and since it's tied to a logon, it allows for centralized administration and mass updates.

Scott Taylor

Posted 2011-05-10T18:15:43.787

Reputation: 1

In C:\Windows\Sun\Java\Deployment create a file called deployment.config.

The contents of this file should be:

deployment.system.config=file:///C:/Windows/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=false

Create another file in the same location called deployment.properties and include this line in deployment.properties:

deployment.system.security.trusted.certs=C\:\\Windows\\Sun\\Java\\Deployment\\trusted.certs

copy the trusted.certs from a user profile with all of the necessary certs to c:\windows\sun\java\deployments also.

All certs contained int he file will now appear in java control panel under System/Trusted Certificates

you can also do this with most other java properties by including them in the deployment.properties file such as:

deployment.javaws.autodownload=NEVER
deployment.javaws.autodownload.locked
deployment.security.level=MEDIUM
deployment.security.level.locked
deployment.security.mixcode=HIDE_RUN
deployment.security.mixcode.locked
deployment.insecure.jres=NEVER
deployment.insecure.jres.locked
deployment.expiration.check.enabled=false
deployment.expiration.check.enabled.locked
deployment.webjava.enabled=true
deployment.webjava.enabled.locked

The first line sets the property, the second (with .locked at the end) prevents the users from changing the properties in java control panel

you can also manage the site exception list by creating a file in the same location called exception.sites and adding the web addresses to this file (one site per line) and including this line in deployment.properties:

deployment.user.security.exception.sites=C\:\\Windows\\Sun\\Java\\Deployment\\exception.sites

this link will explain most of the configurable properties:

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html

Nick Stoll

Posted 2011-05-10T18:15:43.787

Reputation: 1