1

We are at a big organization with a several applications that are developed for internal and external use. One of those application is distributed as Java Webstart application and after a lot of trial and error we now have proper signing and packaging in place.

The only problem: we use a self-signed certificate. Users see a warning about an unknown/unverified vendor and this is just not nice.

Fortunately, the IT department of the organization has one certificate that is accepted on all workstations (via a site-wide policy, I assume). If we use this accepted certificate to sign the JARs and create the Webstart archive, everything should be fine. Naturally, the IT department does not want to distribute the accepted certificate to all developers or put it on the build server, because this would be against the purpose and introduce a lot of vulnerabilities.

What would be the right way to generate a code-signing certificate signed by this accepted certificate?

My assumption, based on what I know from normal openssl procedures to generate certificates used in web servers:

  1. Generate a CSR with
  2. Send CSR to IT security
  3. IT generates a certificate from the CSR with accepted certificate. This certificate should have a short validity (1 week / 1 month / 1 quarter ?)
  4. Import into java keytool for signing
  5. Make sure keytool is only available to authorized users

Would this work? Are there any objections in terms of security or organizational obstacles?

If the above is correct, I would need some pointers especially with item 3. I found a somewhat related question: How do you sign Certificate Signing Request with your Certification Authority?.

Any help is appreciated.

Community
  • 1
  • 1
Kariem
  • 4,398
  • 3
  • 44
  • 73

1 Answers1

1

If the corporation has its own CA root cert, which yes had to be pushed to every client/relier by some means such as GPO or installing all systems (or maybe their JREs?) from a customized image, then your approach is almost correct:

  1. generate keypair and CSR
  2. send CSR to corporate CA, they send you back cert
  3. combine cert with keypair in keystore and use keystore

You can do all steps but the last with OpenSSL, but it's extra work:

1: openssl req -newkey or openssl genpkey|genrsa|etc then openssl req -new

3: openssl pkcs12 -export plus keytool -importkeystore -srcstoretype pkcs12

Since you want to end up with a Java keystore it's easier to just use Java throughout:

1: keytool -genkeypair then keytool -certreq

3: keytool -importcert

keytool is a program available on every machine that has any JRE installed; you can't effectively restrict it. It is the keystore file containing your keypair (and specifically your privatekey) that must be protected. Use a strong password; set file/dir permissions/ACL; keep a secure backup; all the usual.

On the other hand, if the corporation has a code-signing cert (and key) which is trusted because the cert was obtained from (issued by) a well-known CA like Verisign, they almost certainly cannot issue you a subordinate certificate. Only a CA cert (with its key) can issue subordinate certs, and while technically it is possible for a trusted CA to issue your corporation a CA cert, if you then issue any bad certs it reflects on them and can put them out of business (see DigiNotar) and they don't want that.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70