Signing Applets - Creating Test Certificates

contributed by Walter Pasqualone, Walter.Pasqualone@isis-papyrus.com

rewritten by Daniel Griscom, 9/25/99

Contents

Introduction

This section tells how to create test code signing certificates for Netscape Communicator and Microsoft Internet Explorer. The examples assume the use of NT4.0 server, Netscape Communicator 4.x, Internet Explorer 4.0 using JDK1.1.6, the Netscape Object Signing too, and the Java-SDK from Microsoft.

Note that applets signed by these certificates will not be recognized by most browsers: you have to prepare the browser to accept the certificate. This means that these certificates are only good for testing, or for use on a small, known set of machines. Also, with Internet Explorer, once it is set to recognize your test certificate it will recognize any test certificate, which may be a security problem.


Creating a certificate

A code signing certificate for Netscape Navigator/Communicator can be generated by means of the Netscape Object Signing tool, downloadable at <http://developer.netscape.com/software/signedobj/jarpack.html>. To create your certificate first create a directory (e.g. c:\appsign) where you install the signtool.exe, then create a working subdirectory (e.g. mycert). Now we have the tree c:\appsign\mycert\.

Copy into the mycert directory the two netscape files containing certificate information, named cert7.db and key3.db, found under your c:\Program Files\Netscape\Users\<username> directory.

Open a DOS window and change directory to your c:\appsign directory, then create your certificate (i.e. My_Priv_Cert) with the following command:

signtool -G"My_Priv_Cert" -d"mycert"
...where the -G specifies the name of your certificate and -d the directory containing the .db files.

 

signtool will request the following pieces of information (example answers are shown):

  • Certificate common name: ACME Signing Certificate
  • Organization: ACME Technologies
  • Organization Unit: ACME Project
  • State/Province: Italy
  • Country: IT
  • Username: Acme
  • Email address: acme@acme.com

This step produces a file in c:\appsign named x509.cacert; this is your certificate.

Importing the certificate

Now you need to import the certificate into Netscape Navigator/Communicator, so that the browser will recognized applets signed with the certificate. To do this, first create an html document in your signing directory containing the following line:
<a href="x509.cacert">Click to import certificate</a>

The reference can also be an absolute or relative URL such as /scripts/certificates/x509.cacert or http://www.myserv.com/scripts/certificates/x509.cacert. Now, make sure that Navigator has a MIME type of application/x-x509-ca-cert (look in Preferences, in the Navigator/Applications panel). If it doesn't, create one with the following info:
  • Description of type: x509 CA certificate
  • File extension: cacert
  • MIME type: application/x-x509-ca-cert
  • Application to use: C:\WINNT\system32\rundll32.exe c:\winnt\system32\inetcpl.cpl,SiteCert_RunFromCmdLine %1
Note: the above application assumes you're using Windows NT. If you're using Win98, then replace C:\WINNT\system32\ with C:\WINDOWS\SYSTEM\.
Now, open the html document in Communicator and click into the Import link. You should be prompted by Netscape with dialogs guiding you through the importing steps. If this does not happen, try first to exit, restart your browser and clean up the cache.

If a 'Save As' dialog appears instead, and you're browsing the html document from a web server instead of from your local file system, then the Web Server does not export such a MIME type associated to the cacert extension. In such a case the configuration of the WebServer needs to be modified. For example, if you're using the Microsoft Internet Server (MS-IIS), the Registry must be modified with RegEdit at the following node:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters\MimeMap
by adding the same MIME type and extension specified above.

If the problem still persist, try restarting the system before importing the certificate.

If you imported your certificate successfully, you should be able to see it among all other Certificate's Authorities listed into the Browser->Communicator->Security-Info->Signers panel. Now, you can create and sign your applet as explained in Signing code for Netscape Navigator.

For more information, see Generating Test Object-Signing Certificates at <http://developer.netscape.com/docs/manuals/signedobj/signtool/signcert.htm>.

Microsoft Internet Explorer

Creating a certificate

A code signing certificate for MSIE can be generated by means of the MS tools provided with the Microsoft JAVA-SDK, downloadable from the Microsoft web site. To create a private certificate, follow these steps:

1: Using the MAKECERT.exe tool, generate a new certificate as follows:

makecert /sv "ms_ACME.pvk" /n "CN=ACME Certificate" ms_ACME.cer
where...
  • ms_ACME.pvk is the name of the private key file to be generated
  • ms_ACME.cer is the certificate file to be generated
  • ACME Certificate is the name of the certificate
Note: during this phase a password is requested in two occasions. It must be the same password in both cases and will be requested when signing the software, so DON'T forget it!

2: Generate a .spc file as follows:

Cert2spc ms_ACME.cer ms_ACME.spc
This step generates the file ms_ACME.spc

Now you can use the newly created .pvk and .spc files to sign applets as explained in Signing code for Microsoft Internet Explorer.

Telling Internet Explorer to accept the test root

A certificate sold by a CA such as VeriSign depends on the CA certificate being installed in Internet Explorer, so that Explorer can verify the certificate. Certificates created by makecert depend on the "test root". The test root is a CA certificate that is only used for debugging, and is not normally enabled (otherwise anyone could make certificates recognized by any copy of Explorer). To enable the test root so that test certificates are treated as fully valid, run the following command from the MS SDK for Java:
setreg 1 TRUE
Of course, you have to do this for each machine which must accept your certificate. In addition, once these machines accept your test certificate they will accept any test certificate. This could be a security problem, so proceed with care. In particular, once you've finished testing you might want to disable the test root with the following command:
setreg 1 FALSE

For more information see

Next section: Links

 

 

 
  
    Copyright © 2012 Daniel Griscom Site design myriadweb.com  
Home Page Home Page Home Page