In-House Certificate Authority for Self Signed Jars in JRE1.8

Similar Messages

• Problem of security warning for self signed JARs

  Hello All
  I have made a jar file and self signed ( using keytool and jarsigner). Then having attached in a form, I put it in 10g rel 2 Oracle A/S. When accesing in a web browser in LINUX , security warning shows The application's digital signature is invalid. Do you want to continue ?

  Hi Kevin
  I have the exactly the same requirement as yours....
  (1. write a file into client file system, then
  2. launch an application to edit this file, then
  3. read the edited content from the file).
  Plz go thru the following. I signed my applet as follows:-
  makecert -sk exec -n "CN=Hemanth" exec.cer
  cert2spc exec.cer exec.spc
  javac ExecNP.java (ExecNP.java is the applet code. I have given the code of the applet)
  cabarc -s 6144 n exec.cab ExecNP.class
  setreg 1 true
  signcode -j javasign.dll -jp exec.ini -spc exec.spc -k exec exec.cab
  chkjava exec.cab
  Code of ExecNP.java :-
  import com.ms.security.*;
  import com.ms.security.permissions.*;
  import java.lang.Runtime.*;
  public class ExecNP extends java.applet.Applet
  public void init()
       try {
            PolicyEngine.assertPermission(PermissionID.EXEC);
            Runtime.getRuntime().exec("c:\\windows\\notepad.exe");
       } catch(Exception e) {
  Here is the html code :-
  <applet code=ExecNP width=800 height=200> <PARAM NAME='cabbase' VALUE='exec.cab'> </applet>
  When I try to open this html file I get the following exception in the Java Console
  java.lang.UnsatisfiedLinkError: initPolicyEngine
  Please tell me whats wrong.
  Hemanth.

• Error message generating Adobe Air output Unable to build a valid certificate chain for the signer

  error message generating Adobe Air Output: Unable to build a valid certificate chain for the signer.

  Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
  If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
  If you are using RoboHelp, which version?
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• Code signing cert error using Digicert - Unable to build a valid certificate chain for the signer

  Steps to fix this error on code signing adobe air using .p12 cert from Digicert - Unable to build a valid certificate chain for the signer
  a. Open Firefox and browse to https://www.digicert.com/digicert-root-certificates.htm
  b. On the middle of the page, download -
  DigiCert Assured ID Code Signing CA-1
  Valid until: 10/Feb/2026
  Serial #: 07:F4:73:6F:AF:EF:40:8A:1F:66:40:F2:65:D1:0A:C1
  Thumbprint: B170A10819BEA936905D719E643399783E1F4567
  Download
  c. Install the cert in Firefox
  d. Once done, export again the code signing cert from digicert, through (click Firefox -> Preferences -> View Certificates -> HIghlight the digicert code signing cert -> click Backup)
  e. Done, the newly exported file should now have the valid certificate chain and that should fix the error "Unable to build a valid certificate chain for the signer"
  Even though this is from Digicert, this should also work for other Certificate Authority providers assuming you download your provider's root cert for code signing.
  Regards,
  Reigner S. Yrastorza

  Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
  If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
  If you are using RoboHelp, which version?
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• Adobe Air Apps for OS X: Unable to build a valid certificate chain for the signer. // Code Signing on OS X 10.10 Yosemite

  Hi,
  I created several OS X Apps using Adobe Air. That worked quite well before. Now I have do update my OS X Apps - therefore I also needed update my certificates. [ I'm using Flash CC 2014 on OS X Yosemite 10.10 ]. But whatever I do it doesn’t work anymore. I always get this Message saying:
  Unable to build a valid certificate chain for the signer.
  I googled a lot and the only "guide" I found is this post (from April 2013) about code singing - http://scottgaertner.com/code_signing/
  I’m not used to deal with this kind of stuff (CA etc.) - so it's quite confusing to me.
  Would anybody please be so kind and tell me what I have to do?
  Is there any instruction from Adobe? (I didn't find one yet) 
  A step by step instruction for absolute dummies would be great!
  Best regards and thank you in advance
  Jan

  Hi Mukesh,
  I installed the Flash CC 2014 update and added some Certificates from Apple to my Keychain. Now EVERYTHING works fine again!! :-)
  Thank you very much for the Update! :-) Good job!
  Best regards
  Jan

• Unable to build a valid certificate chain for the signer

  Updating an AIR application after a few years and needed a new signing certificate which I purchased from Comodo.  Imported it successfully into Keychain Access and exported it as a pfx file.  When I identified this certificate to Flash Builder it went all the way through the build process and then came up with the error "Unable to build a valid certificate chain for the signer".
  I can see there was a discussion on this matter in October 2011 but this did not seem to answer my question as that guy was trying to use an Apple Dev Centre key rather than paying for one like I did.
  TIA
  David

  In Keychain Access, command-click your Class 2/3 certificate, the CA's intermediate certificate, and the CA's root certificate before hitting export.
  Short guide: Code Signing Certificates for Adobe Air in OS X

• Error creating AIR file: Unable to build a valid certificate chain for the signer.

  Hi, My boss got a certificate from Thawte, and I'm getting this error message when building my AIR app.
  Error creating AIR file: Unable to build a valid certificate chain for the signer.
  I'm on windows XP.
  thanks,
  steve

  To manage your code signing certificate, please see
  http://www.adobe.com/devnet/air/articles/signing_air_applications_print.html
  The error you are seeing is typically caused by exporting a cert without the trust chain.   On Windows, in IE, you can manage your keystore by going to
  Internet Options > Content > Certificates
  When you export the certificate needed for signing your app, be sure to check “Include all certificates in the certificate path, if possible”.

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• How to import a Root Certificate Authority for signing

  How can I import a Root Certificate Authority in order to use it with Certificate Assistant as a CA to sign other certs?
  I have the CA cert imported in keychain along with it's associated private key (from a .p12), it's got the gold icon and is recognized as a Root certificate authority, yet Certificate Assistant will not list it as an available Root CA in the "Set Default CA" action dialog, the "Add..." dialog seems only interested in a ".certAuthorityConfig" plist file.
  Do I have to generate a certAuthorityConfig for the CA? I can't seem to find a way to do that. No clues from certtool & security CLI utils even.
  Any info/leads on how to get this to work would be much appreciated.
  Regards,
  -david

  Hi Alex,
  From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
  Thanks,
  Olivier

• Certificate Authority for Exchange 2013

  Dear,
  I will install exchange 2013, whether to install the Certificate Authority role also? 
  If it is necessary, to install this CA, is simply combined with ADDS server, Exchange Server or a separate server?
  Thanks

  Hi,
  As all above says, Exchange 2013 can use Self-signed Exchange certificate which is installed automatically after Exchange 2013 installation. But please note that this self-signed certificate would be not trusted for Exchange using.
  If your Exchange 2013 is not internet-facing, we can use the self-signed certificate in your internal domain environment. If you want to publish your Exchange 2013 to the internet and send/receive external mails, we need to have a valid and trusted certificate
  for Exchange using.
  To get trusted certificate, we can deployed an
  Enterprise root CA which self-signs its own CA certificate and uses Group Policy to publish that certificate to the Trusted Root Certification Authorities store of all servers and workstations in the domain. Or we can directly buy a third-party certificate
  for using.
  About where to install the CA, my personal suggestion is to install ADCS (Active Directory Certificate Services) on a standalone server. You can also install it with your DC. About how to install a
  Root Certification Authority, please refer to:
  http://technet.microsoft.com/en-us/library/cc731183.aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• Certificate error with self signed test certficiate

  When I go to my test instance via IE I get "Invalid Certificate - Certificate cannot be trusted up to a valid Certificate Authority".
  I've followed all steps I believe are necessary and there are no errors in the logs. These were my steps:
  java -cp weblogic.jar utils.CertGen maximo mycert mykey -cn mytest.local// convert CertGenCA cert to PEM format
  java utils.der2pem CertGenCA.der// on windows concatenate my test certificate and CA cert
  copy mycert.pem+CertGenCA.pem newcerts.pem// import it
  java -cp weblogic.jar utils.ImportPrivateKey mykeystore mypasswd mykey password newcerts.pem mykey.pemI have then updated the weblogic server instance to use mykeystore as the Custom Identity Keystore and Custom Trust Keystore. They import successfully and if I check what's in them I can see both the key and CA certificate.
  What am I doing wrong?
  Thanks,
  Matt

  The issue is that IE does not trust the CA that signed your SSL certificate. If you are trying to eliminate the certificate warning in IE when navigating to your site via HTTPS then you need to add your CA certificate as a trusted authority in IE so that IE can validate the chain of trust that built your self-signed cert. You can import your CA cert into the IE trusted list by simply putting the CA cert on your desktop and double clicking it. This will launch a window allowing you to install the certificate. You will need to restart IE after you have successfully installed your CA cert. Don't forget to install any intermediate certs as well (if you happened to create any)

• What are the default permissions for "self-signed" applets?

  Hello!
  I have a self-signed applet (=signed with a self made certificate) and under most plugin-enviroments java asks the user if it accepts this certificate as trustworth.
  On my linux-box I do not have any problems to write files to the local filesystem after I accepted this self-signed applet.
  However I've often read that users must grant some permissions even for signed applets, so is there a list of permissions that are denied by default?
  Are there differences between java releases starting with 1.2.2?
  Thanks in advance, lg Clemens

  Default settings are like you said, jre asks the user and everything will work.
  Unless.your applet uses classes that are not signed like with calls from javascript to your applet the plugin.jar is used and you'll get an exception when writing to files.
  When writing to files the OS might not allowe the user to write to a certain file or folder.
  Don't know what type of exception will be thrown if the OS doesn't allowe it but it has
  nothing to do with applet permissions.
  To change the default setting you can add the following line in the grant { bit of the
  java.policy
  permission java.lang.RuntimePermission "usePolicy";
  When this line is there all signatures will be ignored and an applet can only do extra
  things (like access to local files) if a policy is set up for this applet.
  To find out what's wrong at your clients site you should ask them to send a full trace
  and check that. I hope you did a .printStacktrace() on the exception in your code so
  you can see if any other classes are involved when the exception is thrown.
  To turn the full trace on (windows) you can start the java console, to be found here:
  C:\Program Files\Java\j2re1.4...\bin\jpicpl32.exe
  In the advanced tab you can fill in something for runtime parameters fill in this:
  -Djavaplugin.trace=true -Djavaplugin.trace.option=basic|net|security|ext|liveconnect
  if you cannot start the java console check here:
  C:\Documents and Settings\userName\Application Data\Sun\Java\Deployment\deployment.properties
  I think for linux this is somewhere in youruserdir/java (hidden directory)
  add or change the following line:
  javaplugin.jre.params=-Djavaplugin.trace\=true -Djavaplugin.trace.option\=basic|net|security|ext|liveconnect
  for 1.5:
  deployment.javapi.jre.1.5.0.args=-Djavaplugin.trace\=true -Djavaplugin.trace.option\=basic|net|security|ext|liveconnect
  The trace is here:
  C:\Documents and Settings\your user\Application Data\Sun\Java\Deployment\log\plugin...log
  I think for linux this is somewhere in youruserdir/java (hidden directory)

• IOS 4.2.1 Causes "cannot verify server identity" for self-signed SSL Cert.

  We are running Exchange 2007 SP3 with a self assigned certificate. After upgrading to 4.2.1 all users receive the message "Cannot Verify Server Identity" whenever the phone pulls down email/calendar/etc. Pressing "Continue" allows mail to download, however you have to press "continue" multiple times (apparently one for each message).
  You can press "Details" and choose accept, however the problem continues. I have tried doing a hard reset, but this fixes nothing. I am sure it is a bug with 4.2.1 (4.1 worked just fine) specifically with self-signed certificates. If anyone has a fix please let me know. However, I'm sure that I should just be pleading to the Apple gods to quickly release a fix.

  Making it very irritating to log in to exchange owa. I currently have the root, Exchange server and personal certificates installed on the device and it acts like they do not exist. I basicly have to keep punching the cert to use, probably close to 30 times, until the page has loaded. Once the page is loaded the certificate requests stop. Strangely in the console i keep getting:
  Thu Dec 2 09:45:21 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:26 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x9871fc0
  Thu Dec 2 09:45:26 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x9871fc0
  Thu Dec 2 09:45:28 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:28 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x986fd20
  Thu Dec 2 09:45:28 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x986fd20
  Thu Dec 2 09:45:28 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:30 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:30 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83e47f0
  Thu Dec 2 09:45:30 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83e47f0
  Thu Dec 2 09:45:30 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:31 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:31 unknown MobileSafari[1045] <Error>: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83a3b30
  Thu Dec 2 09:45:31 unknown MobileSafari[1045] <Warning>: CoreAnimation: ignoring exception: -[UITable flashScrollIndicators]: unrecognized selector sent to instance 0x83a3b30
  Thu Dec 2 09:45:31 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:32 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:32 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:35 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:36 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:36 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:37 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  Thu Dec 2 09:45:37 unknown securityd[1168] <Error>: CFReadStream domain: 4 error: -3
  and this all started after the upgrade to 4.2.1
  Makes me wonder if perhaps it is a problem with iPCU.

• Firefox 36 has broken the "Add Exception" button for self signed certs

  clicking on the add exception button does nothing now in version 36, I had to roll back to 35.0.1

  HI ringnjc,
  It will depend on the type of self signed certificate. An example url will help better investigate.
  However recently, CA 1028 bit RSA certs were phased out in version 36. In order to make sure that the certificates are compatible:
  *[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla CA Certificate Policy
  Version 2.2]
  [https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/]

• Retrieve Certificate Info for dual-signed SHA1/SHA256

  With SHA1 being deprecated we're starting to see files with multiple digital signatures (like msvcr120.dll).  I have code that uses the crypto API (CryptQueryObject, CryptGetMsgParam, CryptMsgOpenToDecode, CryptMsgUpdate, etc.) to get certificate information
  from the signature.
  The problem is that I don't see two signatures.  It appears there's only one message with one signer.  Is there an updated API I should be using?  How is this modeled internally; is it multiple messages, multiple signers, or a single
  signature with multiple certificates? 
  In Windows 8 and Server 2012 I can see both signatures in the properties and see there are two separate certificates, one using a sha1 digest and the other using a sha256.  How do I acquire that information programmatically?

  Have you tried
  ImageEnumerateCertificates?