Deploying a Java DeploymentRuleSet.Jar using a Active Directory Certificate Services cert

I have seen some discussion about requirements for using a certificate generated from Active Directory Services for signing the DeploymentRuleset.jar file. This post is intended to showcase how I was able to do this…this may or may not be the only way or the best way 🙂

Requirements:
1. The certificate template must have the private key exportable and must be usable for code signing.
2. The certificate chain must be in the trusted root store of the user running JRE in the browser
3. The certificate chain must be verifiable via OCSP responder or revocation list.
4. A Ruleset.xml file … this post doesn’t address creating this file…

Steps:
1. Create a code-signing certificate in your AD Certificate Services environment (make sure that the private key is exportable)
2. Export the cert from your personal store to a pfx and include the private key (it will require you to password protect this pfx file)
3. Create a Java keystore including this pfx file:

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS

It will prompt you a new password for the keystore as well as the PFX password you created in the second step.
It will provide a key alias….save this!
4. Add the ruleset.xml to a jar file

jar.exe -cvf DeploymentRuleSetUnsigned.jar "ruleset.xml"

This creates a file called DeploymentRuleSetUnSigned.jar
5. Sign the jar with your certificate:

jarsigner.exe -verbose -keystore "clientcert.jks" –signedjar "OutputDeploymentRuleSetSigned.jar" DeploymentRuleSetUnsigned.jar "en-ter_your-_key-_sto-re_a-lias_here..."

It will prompt for your keystore password, and then for your certificate password.
Then it will generate the OutputDeploymentRulesetSigned.jar file
6. Rename the generated file to DeploymentRuleset.jar and deploy it to C:\Windows\Sun\Java\Deployment\

Advertisements

2 thoughts on “Deploying a Java DeploymentRuleSet.Jar using a Active Directory Certificate Services cert

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s