views:

142

answers:

2

We have signed a JAR file using a certificate generated by MS Active Directory Certificate Services. However, when accessing it via Java Web Start we are getting the prompt that the digital signature cannot be verified even though we've installed the root CA into the certificate store on the client machine.

Now trying to look at the root CA on the client machine, using "keytool -list", I'm seeing an exception (invalid URI:file://\my_msadcs_server\path\to\CRL.crl). So now I'm not sure exactly what is going wrong.

Anyone have a suggestion or sample Java code on how I can test the downloaded JAR file's signature on the client machine in an attempt to figure out exactly why JWS is complaining? It could be that the root CA certificate has a problem (and I will chase down that avenue when my AD admin gets in) but I'd like to rule out other possibilities first. Currently the only thing I have to go on is the exception from "keytool -list", but keytool had no issues importing the root CA certificate in the first place.

Thanks in advance!,

mG.

A: 

I think the invalid URI message is a clue. Java file URI takes the following form: file://host/path

Greg
Yes, but I want to verify that. Rather than going and having our AD admin muck around with configuration (that works fine for everything else we've tried...this is the only signed JAR app we've done), I'd like to come to him with more than the details I have above.As I said, keytool imported the cert without complaint. So his question back to me will be: what proof do I have that the cert he gave me is the source of the problem?
mobiGeek
By the way, this "not a bug" entry looks like others have had similar issues. http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6304269I'm not saying this is a Java bug, but I'm trying to come up with evidence to my AD admin that changes on his side are required (and justification for the particular changes).
mobiGeek
A: 

I use jarsigner with the -verify, -verbose and -certs options. You may have to specify your -keystore, too.

trashgod