Colophon | Killer Game Programming in Java

Third-Party Certificates

Figures B-6 and B-12 show the problem with using self-signed certificates in an application: JWS issues a scary message. The solution is to replace the certificate by one generated by a trusted third party: a CA. Popular CAs include Verisign (http://www.verisign.com/), Thawte (http://www.thawte.com/), and Entrust (http://www.entrust.com). These companies charge money for their services, but a free alternative is CACert.org (https://www.cacert.org/).

Beefing up the certificate for a keypair consists of the following steps:

Extract a Certificate Signing Request (CSR) from the keypair.
Send the CSR to the CA, requesting a certificate.
After checking the returned certificate, import it into the keystore, replacing the keypair's self-signed certificate.
Start signing JARs with the keypair.

Extract a CSR

Generate a CSR with the -certreq option to keytool:

     keytool -certreq -keystore MyKeyStore -alias BugRunner -file BugRunner.csr

This generates a CSR for the BugRunner keypair, stored in BugRunner.csr, a text file of this form:

   -----BEGIN NEW CERTIFICATE REQUEST-----   MIICoDCCAl4C..... // many more lines   .....   -----END NEW CERTIFICATE REQUEST-----

Request a Certificate

The CSR is sent to the CA, usually by pasting its text into a web form accessed via a secure link (a https URL). At CACert.org, this step requires some preliminary work. The users must first join the free CACert.org and send in details about the web domain that they control. This information is checked with the site's web administrator by email. Only then can CSRs be submitted. The certificate generated in response to a CSR is called a server certificate by CACert.org.

Import the Certificate into the Keystore

The server certificate is received in an ordinary email and should be examined before being added to the keystore:

     keytool -printcert -file certfile.cer

Assume that the text message is stored in certfile.cer. If the .cer extension is used, then many browsers will be able to open and interpret the file's certificate contents. The text should look like this:

   -----BEGIN CERTIFICATE-----   MIICxDCCAi0....  // many more lines   ....   -----END CERTIFICATE-----

Though people often talk about a server certificate, the data may actually consist of a chain of certificates, rather than just one.

Once the user is happy that the details match those supplied in the original CSR, the server certificate can be imported into the keystore. In this case, it replaces the self-signed certificate for the BugRunner keypair:

     keytool -import -trustcacerts -keystore MyKeyStore                              -alias BugRunner -file certfile.cer

The server certificate is automatically verified; in a chain, the current certificate is trusted because of the certificate at the next level up. This continues until the certificate for the CA is reached. This may be a trusted (or root) certificate, stored in JWS's cacerts keystore. cacerts comes pre-built with Verisign, Thawte, and Entrust trusted certificates but doesn't have any from CACert.org.

CACert.org offers a root certificate for download, which can be added to cacerts (if you have write permissions). Alternatively, it can be placed in the local MyKeyStore keystore as a trusted certificate:

     keytool -import -alias cacertOrg -keystore MyKeyStore  -file caRoot.cer

Here, I'm assuming that the root certificate is stored in caRoot.cer and is saved under the name (alias) cacertOrg. Since no keypair exists for cacertOrg, keytool assumes it's a trusted certificate. This can be verified by listing the contents of the keystore:

     keytool -list -keystore MyKeyStore

The root certificate should be imported before the server certificate, or the server certificate's authentication process will end with the warning "Failed to establish chain from reply."

An alternative is to "glue" the root and server certificates together as a single entity and then import the result into the keystore as a replacement for the self-signed certificate. This process is described by Chris W. Johnson at http://gargravarr.cc.utexas.edu/chrisj/misc/java-cert-parsing.html.

Sign JARs with the Keypair

Signing can now commence with the third-party-certified BugRunner keypair:

     jarsigner -keystore MyKeyStore foo.jar BugRunner