HowTo deploy the certificates?

Why do you need to deploy the certificates?

Since Java 1.7 u51, the auto-signed applets may no more run with access to the local system. At least, a severe warning message is displayed.

You can accept these messages, and test JUpload.

There are three ways to avoid this:

  • The best one is to buy a certificate, to sign the applet, from a know Certificate Authority. Lots of tutorial exist on the web. The main advantage of this solution is that these CA are already deployed on the browsers. There is no specific task to execute.
  • Use your own Certificate Authority. This means that you replace a 'know Certificate Authority' by one, generated by you. You'll need to:
    • Know how to generate the CA certificate
    • Know how to generate and sign, the certificate you'll use to sign the applet.
    • Know how to manage your Certificate Revocation List.
    • Know how to deploy the CA certificate to your user's browsers.
    • The good news is: the three first points are explained on the How to sign page, and the last one is explained here! ;-)
  • Lower the java security settings, to Average (the lower possible value). In this case, Java will ask the user for each start of a signed applet, if it doesn't know the certificate issuer. To do that, go to the Java Control Panel, then to the 'security' part of it.

How to deploy your CA certificates?

You can deploy:

  • Manually
  • By script
  • By letting the users install the certificate in their browser, themselves.

The two first points are out of topic for this page. We'll just explain how to install a given CA certificate in one's browser. The way to do it depends on the browser the user is using.

In this doc, we take the sample of JUpload, where the CA certificate is available here: http://jupload.sourceforge.net/certificates/cacert.crt.

How to install the CA certificate on Firefox?

This one is the most tricky. As of January 2014, the 26th, I only found one solution install the certificate both in the Firefox Certificate container, and in the Java Certificate Container.

To make the applet work under Firefox, you'll have to execute the following steps:

  • Click on the Certificate link (http://jupload.sourceforge.net/certificates/cacert.crt).
    • Firefox should open a windows, asking what you want to authorize for these certificate. You must select at least (please confirm me the English translation for this sentence) 'Confirm this AC to identify application/software developpers'.
      • If Firefox doesn't display this window (under Windows 7 for instance, but we'll improve our site), but instead, displays a nasty text in the browser, you'll have to store the file (instead of clicking on the link), and use the below path to the Firefox certificate management tool to import it.
    • If you later want to change/correct that (or remove this certificate), you can do these steps: Firefox / options / advanced / view-display the certificates / Authorities / (find the Jupload/Jupload's CA line). You can then view the certificate, change the confidence you selected, or remove this confident (that is: remove the certificate).
  • You'll need to also install this certificate in the Java keystore, detail at the end of this page (How to install the CA certificate in the Java keystore).
    • Unnecessary, with IE 8 under XP.
    • TODO: check with other configurations...
  • You'll need to close Firefox and restart it, so that these changes are taken into account.

For a manual installation of the certificate, or a check, you can go there: Options, Advanced, Encryption, View Certificates, Authorities, Import

A warning message will always be displayed to the user, to get his/her confirmation before starting the applet.

If you still get error or warning about the check of the applet signature, you may need to remove any temporary file. You can also clean remove all temporary files and installed applet, from the Java Control Panel.

How to install the CA certificate on Chrome?

With Chrome, you're using the same configuration as in Internet Explorer, that is: the 'Internet Options', also available from the Configuration Panel.

To install the CA certificate with Chrome, you'll have to:

  • Click on the Certificate link (http://jupload.sourceforge.net/certificates/cacert.crt).
  • Click on the downloaded file (displayed on the bottom left)
  • Then Open, when Chrome asks you to open or save the file.
  • Select 'Install' to accept this certificate as a valid Certificate Authority (take care, this window sometimes opens .. under the others)
  • Then: Next / Next (automatic selection) / Finish / Yes (accept the installation for this CA)

TODO: confirm this once the real certificate is deployed, with its CRL Depending on your Windows version, you'll need (or not) to also install this certificate in the Java keystore, detail at the end of this page (How to install the CA certificate in the Java keystore). It seems necessary for Vista and IE7, and unnecessary on Windows XP (and its latest IE).

A warning message will always be displayed to the user, to get his/her confirmation before starting the applet.

How to install the CA certificate on Internet Explorer?

With Internet Explorer, it's much easier. Here are the steps, to install the CA certificate:

  • Click on the Certificate link (http://jupload.sourceforge.net/certificates/cacert.crt).
  • Select 'Open', when IE asks you to open or save the file.
  • Select 'Install' to accept this certificate as a valid Certificate Authority (take care, this window sometimes opens .. under the others)
  • Then: Next / Next (automatic selection) / Finish / Yes (accept the installation for this CA)

For a manual installation of the certificate, or a check, you can go there: Tools, Internet Options, Content, Editor, Trusted Root Certification Authorities, Import.

A warning message will always be displayed to the user, to get his/her confirmation before starting the applet.

If you still get error or warning about the check of the applet signature, you may need to remove any temporary file, and clean the SSL sate (from the Content part). You can also clean remove all temporary files and installed applet, from the Java Control Panel.

How to install the CA certificate in the Java keystore? (manually or automatically)

It seems like this step is not always necessary. This make the conviviality of the applet really lower... As of January 2014, the 27th, we'll search for better solutions there ... and hope Oracle will solve this issue.

This step, unnecessary for Internet Explorer?.

To install the CA certificate in the Java keystore, you'll hav to follow these steps:

  • Open the Java configuration tool. For windows, go to the configuration panel, and search for Java. For others... To be Defined.
    • You can check here, to find the the control panel (Windows, Mac)
  • You'll have to first download the above certificate.
  • Then go to Security / Manage Certificates / Signing Certificates / Import, and select the cacert.crt file you just downloaded.

For administrator in an Intranet, you may wish to check this page to know how to allow specific domain to have special security rules... And avoid the alert box, to prompted to the users...