Java Webstart说我的应用程序使用了自签名证书,但是我使用了COMODO代码签名证书 [英] Java webstart says my app uses a self signed certificate, but I used a COMODO code signing certificate
问题描述
我购买了我了解到,该链实际上应该一直向上延伸到广告dTrust外部CA根目录:
这听起来很有希望,因为 AddTrust证书实际上包含在Oracle的java 8 cacerts truststore中,负责在Java Webstart期间验证jar。
我接下来要做的是将从Firefox获得的* .p12文件导入Windows证书管理器(开始-certmgr.msc),因为出于某种原因,我认为这是将* .p12转换为* .pfx的方法(尽管现在我知道两个扩展名都用于相同的pkcs12密钥库格式)。无论如何,在导入过程中会弹出此问题:
在这里,我犯了一个严重错误:单击是。这导致将 COMODO RSA证书颁发机构作为受信任的根证书安装在Windows信任库中(仅在重新启动certmgr.msc之后可见):
我的代码签名证书安装在个人 /证书。我从那里将其导出(操作-所有任务-导出...),并标记为如果可能,在证书路径中包括所有证书。
现在发生了与从Firefox导出时完全相同的事情。由于Windows现在已安装 COMODO RSA证书颁发机构作为受信任的根证书,因此它仅包含该证书的链。这是我导出后得到的:
现在是天才之举,这是我偶然偶然发现的:我从Windows证书管理器中删除了 COMODO RSA证书颁发机构。现在,当我双击代码签名证书时,显示的链突然看起来不一样:
我承认当我看到这个时,我有一点肾上腺素的冲动。我再次导出了(与以前完全相同的设置)。
确实,用此导出的证书对应用程序签名后,java webstart接受了它:
I bought a COMODO code signing certificate and used it to sign my java webstart application.
Main question: Is that COMODO code signing certificate even supported by java 8?
More info:
On all machines except my own, java blocks the application, saying it uses a self signed certificate.
I don't even understand why it works on my machine. I looked at the list of trusted certification roots in the java control panel (1.8.0_45-b15), but I cannot find the "COMODO RSA Certification Authority" there.
I do see that certificate in the Windows MMC certificate snap-in under "Trusted Root Certification Authorities". But on at least 3 other machines it does not exist.
I finally solved it - here is the story:
When I bought the certificate, I had to collect it by navigating to a website address that I received by email. There, the certificate was automatically installed into the truststore of my browser (Firefox).
I then exported it from Firefox (Options - Advanced - View Certificates - Your Certificates - Backup button).
What I didn't realize at the time was that Firefox, unlike Java and Windows, has the "COMODO RSA Certification Authority" as an inbuilt token:
What I also didn't know at the time was that the Firefox certificate export seems to only include the certificate chain up to the first trusted authority, in this case the "COMODO RSA Certification Authority".
From this COMODO support site I learned that the chain should actually go one higher, all the way up to "AddTrust External CA Root":
That sounded much more promising, because the AddTrust certificate is actually included in Oracle's java 8 cacerts truststore, which is responsible for verifying the jar during java webstart.
The next thing I did was import the *.p12 file I got from Firefox into the windows certificate manager (Start - certmgr.msc), because for some reason I thought this was the way to convert *.p12 to *.pfx (although now I know that both extension are used for the same pkcs12 keystore format). Anyway, during the import this question popped up:
Here I made the critical mistake: I clicked yes. This caused the "COMODO RSA Certification Authority" to be installed in the Windows truststore as a "Trusted Root Certificate" (btw only visible after I restarted certmgr.msc):
My code signing certificate was installed in "Personal/Certificates". I exported it from there (Action - All tasks - Export...), and marked "Include all certificates in the certification path if possible".
Now the exact same thing happened as when I exported from Firefox. Since Windows now had "COMODO RSA Certification Authority" installed as a trusted root certificate, it only included the chain up to this one. This is what I got after the export:
And now for the genius move, which I stumbled upon by pure chance: I deleted the "COMODO RSA Certification Authority" from the Windows certification manager. Now, when I double clicked my code signing certificate, the displayed chain suddenly looked different:
I admit I got a small adrenaline rush when I saw this. I exported again (exact same settings as before).
And indeed, after I signed my application with this exported certificate, java webstart accepts it:
这篇关于Java Webstart说我的应用程序使用了自签名证书,但是我使用了COMODO代码签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
