Java webstart 说我的应用程序使用自签名证书，但我使用了 COMODO 代码签名证书 [英] Java webstart says my app uses a self signed certificate, but I used a COMODO code signing certificate

问题描述

我购买了 我了解到该链实际上应该更高，一直到AddTrust External CA Root":

这听起来更有希望，因为AddTrust 证书实际上包含在 Oracle 的 java 8 cacerts truststore 中，它负责在 java webstart 期间验证 jar.

接下来我做的是将我从 Firefox 获得的 *.p12 文件导入 Windows 证书管理器(开始 - certmgr.msc)，因为出于某种原因，我认为这是将 *.p12 转换为 *.p12 的方法.pfx(虽然现在我知道这两个扩展名都用于相同的 pkcs12 密钥库格式).无论如何，在导入过程中出现了这个问题:

这里我犯了一个严重的错误:我点击了是.这导致COMODO RSA 证书颁发机构"作为受信任的根证书"安装在 Windows 信任库中(顺便说一句，仅在我重新启动 certmgr.msc 后才可见):

我的代码签名证书安装在个人/证书"中.我从那里导出它(操作 - 所有任务 - 导出...)，并标记为如果可能，包括证书路径中的所有证书".

现在发生了与我从 Firefox 导出时完全相同的事情.由于 Windows 现在已将COMODO RSA 证书颁发机构"安装为受信任的根证书，因此它仅包含到此证书的链.这是我导出后得到的:

现在是我偶然发现的天才之举:我从 Windows 认证管理器中删除了COMODO RSA Certification Authority".现在，当我双击我的代码签名证书时，显示的链突然看起来不同了:

我承认当我看到这个时我有点肾上腺素飙升.我再次导出(与以前完全相同的设置).

事实上，在我用这个导出的证书签署了我的应用程序后，java webstart 接受了它:

I bought a COMODO code signing certificate and used it to sign my java webstart application.

Main question: Is that COMODO code signing certificate even supported by java 8?

More info:

On all machines except my own, java blocks the application, saying it uses a self signed certificate.

I don't even understand why it works on my machine. I looked at the list of trusted certification roots in the java control panel (1.8.0_45-b15), but I cannot find the "COMODO RSA Certification Authority" there.

I do see that certificate in the Windows MMC certificate snap-in under "Trusted Root Certification Authorities". But on at least 3 other machines it does not exist.

解决方案

I finally solved it - here is the story:

When I bought the certificate, I had to collect it by navigating to a website address that I received by email. There, the certificate was automatically installed into the truststore of my browser (Firefox).

I then exported it from Firefox (Options - Advanced - View Certificates - Your Certificates - Backup button).

What I didn't realize at the time was that Firefox, unlike Java and Windows, has the "COMODO RSA Certification Authority" as an inbuilt token:

What I also didn't know at the time was that the Firefox certificate export seems to only include the certificate chain up to the first trusted authority, in this case the "COMODO RSA Certification Authority".

From this COMODO support site I learned that the chain should actually go one higher, all the way up to "AddTrust External CA Root":

That sounded much more promising, because the AddTrust certificate is actually included in Oracle's java 8 cacerts truststore, which is responsible for verifying the jar during java webstart.

The next thing I did was import the *.p12 file I got from Firefox into the windows certificate manager (Start - certmgr.msc), because for some reason I thought this was the way to convert *.p12 to *.pfx (although now I know that both extension are used for the same pkcs12 keystore format). Anyway, during the import this question popped up:

Here I made the critical mistake: I clicked yes. This caused the "COMODO RSA Certification Authority" to be installed in the Windows truststore as a "Trusted Root Certificate" (btw only visible after I restarted certmgr.msc):

My code signing certificate was installed in "Personal/Certificates". I exported it from there (Action - All tasks - Export...), and marked "Include all certificates in the certification path if possible".

Now the exact same thing happened as when I exported from Firefox. Since Windows now had "COMODO RSA Certification Authority" installed as a trusted root certificate, it only included the chain up to this one. This is what I got after the export:

And now for the genius move, which I stumbled upon by pure chance: I deleted the "COMODO RSA Certification Authority" from the Windows certification manager. Now, when I double clicked my code signing certificate, the displayed chain suddenly looked different:

I admit I got a small adrenaline rush when I saw this. I exported again (exact same settings as before).

And indeed, after I signed my application with this exported certificate, java webstart accepts it:

这篇关于Java webstart 说我的应用程序使用自签名证书，但我使用了 COMODO 代码签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！