We have a legacy Java web-start application. As the code is downloaded remotely, the Java Security system need to instructed that the code downloaded from the source URL is safe.

The URL to download the code is in the JNLP file (https://app.domain.com/prod). A ruleset.xml is created with instruction to allow run. The ruleset.xml is jar-ed into DeploymentRuleSet.jar. It is signed to ensure authenticity. The signed jar is pushed to all Users's machine.

Step-by-step guide

1. Create keypair

The below command creates a keystore file name "jarsigned.keystore" and adds a key pair into it under the alias jarsigner. The key is valid for  1825 days from 2019-08-15. They keystore password and keypassword are set the default. Change it as required.

$ keytool -genkeypair -alias "jarsigner" -keystore jarsigner.keystore \
  -keyalg RSA -keysize 2048 -keypass "changeit" \
  -startdate "2019/08/15 00:00:00" -validity 1825 \
  -dname "DC=bu,DC=domain,DC=com" -storepass "changeit" -storetype pkcs12
key pair generation

If a self-signed certificate is going to be used skip to STEP 4.

2. Create a Certificate Sign Request (CSR)

$ keytool -certreq -alias jarsigner -keystore jarsigner.keystore \
  -storepass changeit -file jarsigner.csr
create csr

The CSR is in the file jarsigner.csr.

Send the file the the Certificate Authority. Ask specifically for a Code Signing certificate (costs more than standard ssl certificate)

3. Once the signed certificate is received from CA, save the certificate file as jarsigner.cer and Import it into keystore.

$ keytool -importcert -trustcacerts -alias jarsigner -file jarsigner.cer \
  -keystore jarsigner.keystore -storepass changeit
import signed certificate

4. Create ruleset.xml

Since the code is downloaded from domain.com, the rule should allow run permission.

<ruleset version="1.0+">
    <rule>
        <id location="*.domain.com" />
        <action permission="run" />
    </rule>
    <rule>
        <id />
        <action permission="default" />
    </rule>
</ruleset>
ruleset.xml

5. Create DeploymentRuleSet.jar

$ jar -cvf DeploymentRuleSet.jar ruleset.xml
create deployment jar

6. Sign the jar file with the certificate

$ jarsigner -keystore jarsigner.keystore DeploymentRuleSet.jar "jarsigner" \
  -storepass "changeit" -storetype pkcs12 -keypass "changeit" \
  -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp
sign jar

You will see the below warning if certificate was not signed by CA.

Warning:

The signer's certificate is self-signed.

7. Verify the jar

$ jarsigner -verify -verbose -certs -keystore jarsigner.keystore \
   -storetype pkcs12 -storepass "changeit" DeploymentRuleSet.jar "jarsigner"
verify jar

The message will say "jar verfied"

8. Deploy jar to users computer

Copy the DeploymentRuleSet.jar to  c:\windows\sun\java\deployment folder

If the certificate generated (in Step 3) was signed by a Certificate Authority, SKIP steps 9 & 10. We are done.

9. Export the certificate out of the keystore.

$ keytool -export -keystore jarsigner.keystore -storepass changeit \
  -keypass changeit -alias jarsigner -file jarsigner.cer
export self-signed certicate

10. Import the certificate into trusted certificate store on User's machine. The trusted certificate store is in jre/lib/security folder. DO this from admin shell

Ensure that the cacert is in the JRE or JDK being used by the web start command.

# keytool -import # -trustcacerts \
  -keystore "C:\Program Files\Java\jre1.8.0.201\lib\security\cacerts" \
  -storepass changeit -alias jarsigner -import -file jarsigner.cer
import self-signed cert as trusted cert in user's machine