• Status: Solved
  • Priority: Medium
  • Security: Private
  • Views: 46
  • Last Modified:

certificate expired while launching Java webstart application

Hi,

We are using Java Webstart for one of the requirements(downloading files) in the applicaton which are developed by 3rd party vendors earlier.Now when we access the application we are getting certificate is expired.

I think all jars must be signed to launch JNLP application.Please confirm.

I have tried to remove files (*.SF, *.RSA) files in MANIFEST-MF But when we access the application getting 'unsigned resource access to http-mime-4.2.2.5.jar';
I think we can't launch JNLP Webstart application without signed jars.Please confirm.

https://kbdeveloper.qoppa.com/removing-a-signature-from-a-signed-jar-file/

 Followed the steps below to remove a signature from a jar file
******************************************************************
Open the jar using WinRar or Winzip (jars are actually zip files)
Go into the META-INF directory
Delete all files (*.SF, *.RSA) but keep MANIFEST-MF.



Executed jarsigner command on each jar  which are used and all are expired last year(10th Oct'17) itself and as you see all jars are signed with certificate.

I have few clarifcations.

1)What certificates does digicert give after taking renewal from them?
2)How to sign all the jars again?Please provide the command?

jarsigner -verify -certs -verbose download-manager.jar

s       9619 Mon Nov 10 15:55:56 EST 2014 META-INF/MANIFEST.MF

      X.509, CN="XXXXXXXX.", O="XXXXXXXX.", L=DDDDD, S
T=Calif, C=US
      [certificate expired on 10/10/17 8:00 AM]
      X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O
=DigiCert Inc, C=US
      [certificate is valid from 10/22/13 8:00 AM to 10/22/28 8:00 AM]
      X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc
, C=US
      [certificate is valid from 11/9/06 7:00 PM to 11/9/31 7:00 PM]

        9376 Mon Nov 10 15:55:56 EST 2014 META-INF/SERVER.SF
        4108 Mon Nov 10 15:55:56 EST 2014 META-INF/SERVER.RSA
           0 Mon Nov 10 15:55:22 EST 2014 META-INF/
           0 Mon Nov 10 15:55:24 EST 2014 META-INF/maven/
           0 Mon Nov 10 15:55:24 EST 2014 META-INF/maven/com.xxxxxx.cms.xx/
           0 Mon Nov 10 15:55:24 EST 2014 META-INF/maven/com.xxxxxx.cms.xx/download-manager/
           0 Mon Nov 10 15:55:22 EST 2014 jnlp/
           0 Mon Nov 10 15:55:22 EST 2014 com/
           0 Mon Nov 10 15:55:22 EST 2014 com/xxxxxx/
           0 Mon Nov 10 15:55:22 EST 2014 com/xxxxxx/cms/
sm      7439 Mon Nov 10 15:55:24 EST 2014 META-INF/maven/com.xxxxxx.cms.xx/download-manager/pom.xml

      X.509, CN="XXXXXXXX.", O="XXXXXXXX.", L=DDDDD, S
T=Calif, C=US
      [certificate expired on 10/10/17 8:00 AM]
      X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O
=DigiCert Inc, C=US
      [certificate is valid from 10/22/13 8:00 AM to 10/22/28 8:00 AM]
      X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc
, C=US
      [certificate is valid from 11/9/06 7:00 PM to 11/9/31 7:00 PM]

sm       134 Mon Nov 10 15:55:24 EST 2014 META-INF/maven/com.xxxxxx.cms.xx/download-manager/pom.properties

      X.509, CN="XXXXXXXX.", O="XXXXXXXX.", L=DDDDD, S
T=Calif, C=US
      [certificate expired on 10/10/17 8:00 AM]
      X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O
=DigiCert Inc, C=US
      [certificate is valid from 10/22/13 8:00 AM to 10/22/28 8:00 AM]
      X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc
, C=US
      [certificate is valid from 11/9/06 7:00 PM to 11/9/31 7:00 PM]

sm       557 Mon Nov 10 15:55:22 EST 2014 org/xxx/FileUtilities.class

      X.509, CN="XXXXXXXX.", O="XXXXXXXX.", L=DDDDD, S
T=Calif, C=US
      [certificate expired on 10/10/17 8:00 AM]
      X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O
=DigiCert Inc, C=US
      [certificate is valid from 10/22/13 8:00 AM to 10/22/28 8:00 AM]
      X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc
, C=US
      [certificate is valid from 11/9/06 7:00 PM to 11/9/31 7:00 PM]

sm       623 Mon Nov 10 15:55:22 EST 2014 org/xxx/ExceptionUtilities.class

      X.509, CN="XXXXXXXX.", O="XXXXXXXX.", L=DDDDD, S
T=Calif, C=US
      [certificate expired on 10/10/17 8:00 AM]
      X.509, CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O
=DigiCert Inc, C=US
      [certificate is valid from 10/22/13 8:00 AM to 10/22/28 8:00 AM]
      X.509, CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc
, C=US
      [certificate is valid from 11/9/06 7:00 PM to 11/9/31 7:00 PM]


jar verified.

Warning:
This jar contains entries whose signer certificate has expired.
This jar contains signatures that does not include a timestamp. Without a timest
amp, users may not be able to validate this jar after the signer certificate's e
xpiration date (2017-10-10) or after any future revocation date.
0
chaituu chaitu
Asked:
chaituu chaitu
  • 4
  • 2
  • 2
1 Solution
 
CEHJCommented:
I think we can't launch JNLP Webstart application without signed jars.Please confirm.
Yes that's correct in general
0
 
chaituu chaituAuthor Commented:
May know the reason why should we sign the jars for JNLP application?one more thing is where can  find the keystore/certificate file which are used for signing these jars?When we use jarsigner command only we got these details.
0
 
CEHJCommented:
Quite simply because there have been too many security problems with Java so restrictions have been tightened.
You probably need to resign them with a proper cert. I don't know your deployment details so can't say any more
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
chaituu chaituAuthor Commented:
I have few clarifications.

1)What certificates does digicert give after taking renewal from them?
2)How to sign all the jars again?Please provide the command?
0
 
David Johnson, CD, MVPOwnerCommented:
1)What certificates does digicert give after taking renewal from them? The exact same certificate that you had before except the not valid time before and after dates are changed.  You have the option of how long the certificate is valid i.e. 1 year - 5 years.


You then have to import the certificate to your development machine and then sign the jars using your signing tool.
0
 
chaituu chaituAuthor Commented:
Thanks david.can you please let know how to import the certificate and sign the jars ??
0
 
David Johnson, CD, MVPOwnerCommented:
0
 
chaituu chaituAuthor Commented:
generated the self signed keystore file using below keystool command.

keytool -genkey -keyalg RSA -validity 30 -alias webstart -keystore webstart -keypass password -storepass password

jarsigner.exe -keystore D:\keystore\webstart -storepass 'password' -keypass 'password' -storetype JKS D:\target\download-manager-desktop.jar webstart

now i execute jarsigner command on the keystore with jar ,getting below error.


jarsigner error: java.lang.RuntimeException: keystore load: Keystore was tampered with, or password was incorrect
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now