I have seen some discussion about requirements for using a certificate generated from Active Directory Services for signing the DeploymentRuleset.jar file. This post is intended to showcase how I was able to do this…this may or may not be the only way or the best way 🙂
1. The certificate template must have the private key exportable and must be usable for code signing.
2. The certificate chain must be in the trusted root store of the user running JRE in the browser
3. The certificate chain must be verifiable via OCSP responder or revocation list.
4. A Ruleset.xml file … this post doesn’t address creating this file…
1. Create a code-signing certificate in your AD Certificate Services environment (make sure that the private key is exportable)
2. Export the cert from your personal store to a pfx and include the private key (it will require you to password protect this pfx file)
3. Create a Java keystore including this pfx file:
keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
It will prompt you a new password for the keystore as well as the PFX password you created in the second step.
It will provide a key alias….save this!
4. Add the ruleset.xml to a jar file
jar.exe -cvf DeploymentRuleSetUnsigned.jar "ruleset.xml"
This creates a file called DeploymentRuleSetUnSigned.jar
5. Sign the jar with your certificate:
jarsigner.exe -verbose -keystore "clientcert.jks" –signedjar "OutputDeploymentRuleSetSigned.jar" DeploymentRuleSetUnsigned.jar "en-ter_your-_key-_sto-re_a-lias_here..."
It will prompt for your keystore password, and then for your certificate password.
Then it will generate the OutputDeploymentRulesetSigned.jar file
6. Rename the generated file to DeploymentRuleset.jar and deploy it to C:\Windows\Sun\Java\Deployment\