I need to install a certificate from a Java app to a lot of people. I want to use a one click program or batch file to import it as a Trusted Certificate(in Control Panel->Security->Certificate). Then they won't need to press always allow first time they use the application.
I have extracted the needed certificate as both a .csr
and as a .cer
(the .csr
via Control Panel and the .cer
via keytool). Now I need to get one of them back without any clicking in menus.
I don't really understand the documentation of importing .cer
with keytool and would like an example. Or are there an easier way than using keytool?
In Windows, you can have private keys 'by themselves'. Programmatically, you use CryptAquireContext to access a key 'by name'. The CryptoAPI contains many functions which allow you to import and use keys, independently of certificates. Start SAP Business Connector You can start the SAP Business Connector via command line. Go to the respective directory and execute the command.
4 Answers
A couple of examples on how to do this using 'keytool'
The second link here has an example batch file:
Which part are you having trouble understanding? Is there a particular section that doesn't make sense? Do you need help with the batch file? Where, specifically, are you getting stuck? Perhaps I can help more specifically.
The chain of trust concept for the Java keytool and signed apps expects the user to confirm trust by taking an affirmative action. In this case the user would import the public key related to the code publisher into their keystore which requires them to have a Java keystore and password related to same. See http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html section stating -
6: Import Certificate as a Trusted Certificate
Ray downloads SSignedApplet.jar and CompanyCer.cer to his home directory. Ray must now >create a keystore database (raystore) and import the certificate into it using the alias >company. Ray uses keytool in his home directory to do this:...
This presents a considerable challenge thus the default behavior is to run signed apps with the OK dialog you are trying to address. Remotely accessing/creating Java keystores for others is counter to the security design.
We had a similar problem here trying to avoid certificate acceptance pop ups on signed applets. We found a fix, it's not pretty, but it seems to have worked so far. Every user has a trusted.certs keystore (depending on OS it's somewhere under <username>/AppData...Sun/Java/Deployment/trusted.certs
) that is generated the first time they access an applet on the given machine. You can have a startup script replace this file for each user from somewhere central. To create the new trusted.certs
file, we have just accepted the certs on a single machine that we want in there, and then copy that entire trusted.certs
keystore over to the new machine.
Loading into the central certs keystore for the JRE did not work for us, so we went this other route. It's ugly, and if you had the password to that keystore you could also set that via batch script as above, but is what we did.
This approach made the most sense to us since it worked on a user by user basis, and since it's tied to a logon, it allows for centralized administration and mass updates.
In C:WindowsSunJavaDeployment
create a file called deployment.config
.
The contents of this file should be:
Create another file in the same location called deployment.properties
and include this line in deployment.properties:
copy the trusted.certs from a user profile with all of the necessary certs to c:windowssunjavadeployments
also.
All certs contained int he file will now appear in java control panel under System/Trusted Certificates
you can also do this with most other java properties by including them in the deployment.properties
file such as:
The first line sets the property, the second (with .locked
at the end) prevents the users from changing the properties in java control panel
you can also manage the site exception list by creating a file in the same location called exception.sites and adding the web addresses to this file (one site per line) and including this line in deployment.properties
:
this link will explain most of the configurable properties:
Not the answer you're looking for? Browse other questions tagged windowsjavaimportcertificate or ask your own question.
I need to import a PEM certificate on a massive number of freshly installed Windows 7 Enterprise machines.
Normally, I would do it through MMC → Certificates (Local Computer) snap-in → Trusted Root Certificates → Import, but I need to speed things up. Therefore, I'd like to use only the command prompt.
With certmgr.exe
(not certmgr.msc
!), I would type:
The problem is that certmgr.exe
does not exist in Windows 7. How then can I add a certificate from the command line?
1 Answer
You need to use certutil.exe
instead:
will add the certificate to the Trusted Root Certification Authorities store.
If you want to add an Intermediate Certification Authority, replace Root
with CA
and to add to your Personal store, change it to My
.
All the above adds the certificate to the Local Computer store. To add to the User store remove the -enterprise
from the command line:
The -f
in the command simply forces an overwrite in the case where the certificate is already installed.