Java Webstart：如何与用户共享证书 [英] Java Webstart: howto share certificate with users

问题描述

我开发了一个使用Java Webstart的应用程序。它需要对磁盘的写访问权限，因此必须对其进行签名，但它只能由有限的一组用户使用，因此我不想为可信证书付费。

I developed an application that uses Java Webstart. It needs write access to the disk so it has to be signed, but it would only be used by a limited group of users so I don't want to pay for a trusted certificate.

让用户信任我的应用程序/自签名证书的最简单方法是什么？我不希望他们使用 keytool 因为它不是真的用户友好。我想创建一个可以通过Java控制面板导入的证书，并首先尝试使用以下命令创建可导入证书：

What is the easiest option to let the users trust my application/self signed certificate? I don't want them to use keytool because it is not really user friendly. I though about creating a certificate that can be imported via the Java Control Panel and first tried creating an importable certificate using the following commands:

keytool -genkeypair -keystore patrickgotthard.jks -alias patrickgotthard
keytool -exportcert -keystore patrickgotthard.jks -alias patrickgotthard -file patrickgotthard.cer

但是无法导入生成的.cer文件。然后我发现无法将证书导入java控制面板并使用以下内容命令：

But it is not possible to import the generated .cer file. Then I found Cannot import certificate into java control panel and used the following command:

keytool -genkey -alias patrickgotthard -keystore patrickgotthard.p12 -storetype pkcs12

但据我所知，.p12文件还包含我的私钥 - 我不认为私钥应该被共享？！您能告诉我如何创建可以通过Java控制面板导入但不包含我的私钥的自签名证书吗？或者您对我的问题有更好的解决方案吗？

But as far as I understand, the .p12 file also contains my private key - I don't think that the private key should be shared?! Can you tell me how to create a self signed certificate that can be imported via Java Control Panel but does not contain my private key? Or do you know a better solution for my problem?

推荐答案

在这种情况下，检查 SHA1 与自签名证书关联的指纹用于签署JAR：

In this scenario, it may be sufficient to check the SHA1 fingerprint associated with the self-signed certificate used to sign the JAR:

• 使用自签名证书签署JAR。

• Sign the JAR with your self-signed certificate.

使用 keytool -v -list 来确定证书的指纹。

Use keytool -v -list to determine your certificate's fingerprint.

以双方同意的方式传达证书的指纹。

Communicate the certificate's fingerprint in a mutually agreed way.

指示用户将您的安全站点添加到例外站点列表中的 安全 标签Java控制面板;这允许用户保留建议的最低安全级别设置高。

Instruct user's to add your secure site to the Exception Site List in the Security tab of the Java Control Panel; this allows the user to retain the minimum recommended security level setting, High.

在安全提示，点击更多信息，将通信指纹与收到的指纹进行比较。

At the security prompt, click on More Information to compare the communicated fingerprint with the one received.

这种方法不会给予信任，但会降低用户接受更改后的JAR的风险。

This approach does not confer trust, but it reduces the risk of the user accepting an altered JAR.

附录：文章 Self已知社区的签名证书 讨论了如何导出自签名证书。然后，社区成员可以根据保证导入证书。

Addendum: The article Self-signed certificates for a known community discusses how to export a self-signed certificate. Members of the community can then import the certificate as warranted.

这篇关于Java Webstart：如何与用户共享证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！