You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openmeetings.apache.org by Rene' Rosenbaum <re...@meecoda.de> on 2014/04/01 09:36:38 UTC
Re: Getting screensharing application signed
Hi Maxime,
thanks for your help! I took some code from 3.0 and merged it into the
build.xml. Works well from that point of view. However, it seems a
specific code signing certificate is necessary to get the code signed
with an individual fingerprint. An ordinary server certificate doesn't
work (according to the web community).
best regards,
Rene'
~~~~~~~
*Dr.-Ing. Rene' Rosenbaum
meeCoda^IT * - Consulting and Services
~: Neue Reihe 15, 18182 Goorstorf, Germany
#: ++49-(0)-1781408041
@:info@meecoda.de <ma...@meecoda.de>
//:www.meecoda.de <http://www.meecoda.de>
~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
On 3/1/2014 6:34 PM, Maxim Solodovnik wrote:
> I would use the server one.
> you need to create java keystore using it and put it instead of generated
> one into build folder
> then run
> ant -Dskip.sign.key.generation=true signWebStartJars
>
> (should work in 3.0/3.1, never tried it since i have no "real certificate")
>
>
> On Sun, Mar 2, 2014 at 12:29 AM, Rene' Rosenbaum <re...@meecoda.de> wrote:
>
>> Hi Maxime,
>> thanks for your quick response! Found the location at build.xml, but not
>> sure what to do next. We got a server certificate for the domain
>> OpenMeetings is running, and I was under the impression I have to use this
>> certificate to sign the WebStartJar. Or do I need a completely different
>> one (similar to the one used to communicate between red5 and the Flash
>> client (as described in /trunk/docs/RTMPSAndHTTPS.html))?
>> Cheers,
>> Rene'
>>
>> ~~~~~~~
>> *Dr.-Ing. Rene' Rosenbaum
>> meeCoda^IT * - Consulting and Services
>> ~: Neue Reihe 15, 18182 Goorstorf, Germany
>> #: ++49-(0)-1781408041
>> @:info@meecoda.de <ma...@meecoda.de>
>> //:www.meecoda.de <http://www.meecoda.de>
>> ~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
>>
>> On 3/1/2014 6:04 PM, Maxim Solodovnik wrote:
>>
>>> hello Rene,
>>>
>>> current certificate being used is generated by ant (search build.xml for
>>> "genkey")
>>> 3.0/3.1 versions contains modifications for using different certificate
>>> for
>>> signing (manual steps are still required)
>>> I would recommend to check build.xml from the trunk then ask questions
>>>
>>>
>>> On Sat, Mar 1, 2014 at 11:26 PM, Rene' Rosenbaum <re...@meecoda.de> wrote:
>>>
>>> Dear all,
>>>> we are running OM 2.0 and made some modifications to the screensharing
>>>> application. May you please let me know how to sign this (Java)
>>>> application? We use SSL and would like to apply our own certificate here.
>>>> As shown in the attachment, currently a certificate issued to Sebastian
>>>> is
>>>> used. Thanks a lot for your help in advance! Any bit of information
>>>> pointing us in the right direction is highly appreciated.
>>>> best regards,
>>>> Rene'
>>>> --
>>>>
>>>> ~~~~~~~*Dr.-Ing. Rene' Rosenbaum
>>>> meeCodaIT* - Consulting and Services
>>>> ~: Neue Reihe 15, 18182 Goorstorf, Germany
>>>> #: ++49-(0)-1781408041
>>>> @: info@meecoda.de
>>>> //: www.meecoda.de
>>>> ~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
>>>>
>>>>
>>>>
>
Re: Getting screensharing application signed
Posted by Roberto Resoli <ro...@resolutions.it>.
Il 02/04/2014 14:13, Roberto Resoli ha scritto:
> Il 02/04/2014 13:34, rene@meecoda.de ha scritto:
...
> It seems
>> some server certificates can do the signing and some not. Confusing!!!
>
> Yes. Certification Authorities sell different Certs, whith different
> pricing, for that.
I created an english version of the HowTo:
https://sourceforge.net/apps/trac/j4sign/wiki/HowtoSignCode_en
Regarding code signing in recent Oracle JVMs, there are lot of
restriction introduced, in particular with 1.7.0_51 i noted that
the certificate for code signing has to have a CRL or OCSP verification
attribute (or both), and the URL specified in the attribute has to point
to a working revocation check service in order the verification (with
default JVM security settings) to pass.
I will provide related modifications into openssl.conf defaults in my
howto very soon.
rob
> rob
>
Re: Getting screensharing application signed
Posted by Roberto Resoli <ro...@resolutions.it>.
Il 02/04/2014 13:34, rene@meecoda.de ha scritto:
> Dear Rob,
> thanks a lot for your response. I had a look at the example and it seems
> it describes the use of a self-signed certificate
No, the examople explains how:
1) Create an own CA using openssl
2) Import the CA certificate (not the private key) inside a keystore.
3) Use java "keytool" to create a cople of keys inside the keystore,
and a CSR (Certification Signing Request) for the public key.
4) Use openssl to sign that CSR with the CA, generating a suitable
codesign cert.
5) Import the generated codesign certificate into the keystore)
The keystore can then be used for signing java code (we use an ant task
for this, as well as openmeetings)
(couldn't figure out
> where a third party issues or verifies the certificate used for
> signing).
They cannot, if they don't trust your CA. If you want the certificate to
be trusted, you have to have the signing certificate to be signed and
generated by a Certification Authority trusted by your java environment.
If you control the target environment, it's matter of importing the CA
(into the user environment) using the control panel applet or issuing a
"keytool -import" towards the JVM-wide cacerts keystore.
This already works in standard OM(2/3). What I need are
> instructions on how to use an existing (trusted and verified class 2
> server-)certificate for code signing.
You can't. SSL Server certificate ordinarily cannot be used fore code
signing.
It seems our OM/build.xml setup is
> correct (incl. the keystore) as we get the following error message:
>
> "This jar contains entries whose signer certificate's ExtendedKeyUsage
> extension doesn't allow code signing."
Exactly. You need an ExtendedKeyUsage of "objsign" for that, It is
normally not included in SSL Server certificates.
See the line:
nsCertType = client, email, objsign
in the openssl.conf inside my howto.
> Doing some research, this points to a limitation of the
> (server-)certificate, which might not be used for code signing.
Absolutely.
It seems
> some server certificates can do the signing and some not. Confusing!!!
Yes. Certification Authorities sell different Certs, whith different
pricing, for that.
rob
Re: Getting screensharing application signed
Posted by re...@meecoda.de.
Dear Rob,
thanks a lot for your response. I had a look at the example and it
seems it describes the use of a self-signed certificate (couldn't
figure out where a third party issues or verifies the certificate used
for signing). This already works in standard OM(2/3). What I need are
instructions on how to use an existing (trusted and verified class 2
server-)certificate for code signing. It seems our OM/build.xml setup
is correct (incl. the keystore) as we get the following error message:
"This jar contains entries whose signer certificate's ExtendedKeyUsage
extension doesn't allow code signing."
Doing some research, this points to a limitation of the
(server-)certificate, which might not be used for code signing. It
seems some server certificates can do the signing and some not.
Confusing!!!
Cheers,
Rene'
Quoting Roberto Resoli <ro...@resolutions.it>:
> On 01 aprile 2014 22:14:20 CEST, Roberto Resoli
> <ro...@resolutions.it> wrote:
>> On 01 aprile 2014 22:07:34 CEST, Rene' Rosenbaum <re...@meecoda.de>
>> wrote:
>>> Hi,
>>> not sure, but think this is rather an issue of the certificate itself
>>> than the settings (in OM). Keep you guys posted ... Rene'
>>
>> I guess you need a keystore with a private key and a corresponding
>> certificate. I have some experience in this, even if not om specific.
>>
>> Ask if you never setup a keystore for software signing.
>>
>> bye,
>> rob
>
> In the meanwhile, some instructions from another project i work into
> (in italian only atm, sorry):
>
> http://sourceforge.net/apps/trac/j4sign/wiki/HowtoSignCode
>
> rob
Re: Getting screensharing application signed
Posted by Maxim Solodovnik <so...@gmail.com>.
Never saw such error :(
Need to be googled :)
On Wed, Apr 2, 2014 at 6:38 PM, <re...@meecoda.de> wrote:
> Hi Maxime,
> our RTMPS/HTTPS setup works well. Our certificate is used for secure
> communication. This basically means all done from configuration/keystore
> side. However, using it for code signing leads to an error which points to
> an limitation of the certificate itself (see prior post to Rob). Thanks for
> your help, anyway!!!
> Rene'
>
>
> Quoting Maxim Solodovnik <so...@gmail.com>:
>
> Here is the example as well:
>> http://openmeetings.apache.org/RTMPSAndHTTPS.html
>>
>>
>> On Wed, Apr 2, 2014 at 3:19 AM, Roberto Resoli <roberto@resolutions.it
>> >wrote:
>>
>>
>> On 01 aprile 2014 22:14:20 CEST, Roberto Resoli <ro...@resolutions.it>
>>> wrote:
>>> >On 01 aprile 2014 22:07:34 CEST, Rene' Rosenbaum <re...@meecoda.de>
>>> >wrote:
>>> >>Hi,
>>> >>not sure, but think this is rather an issue of the certificate itself
>>> >>than the settings (in OM). Keep you guys posted ... Rene'
>>> >
>>> >I guess you need a keystore with a private key and a corresponding
>>> >certificate. I have some experience in this, even if not om specific.
>>> >
>>> >Ask if you never setup a keystore for software signing.
>>> >
>>> >bye,
>>> >rob
>>>
>>> In the meanwhile, some instructions from another project i work into (in
>>> italian only atm, sorry):
>>>
>>> http://sourceforge.net/apps/trac/j4sign/wiki/HowtoSignCode
>>>
>>> rob
>>>
>>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
>
>
--
WBR
Maxim aka solomax
Re: Getting screensharing application signed
Posted by re...@meecoda.de.
Hi Maxime,
our RTMPS/HTTPS setup works well. Our certificate is used for secure
communication. This basically means all done from
configuration/keystore side. However, using it for code signing leads
to an error which points to an limitation of the certificate itself
(see prior post to Rob). Thanks for your help, anyway!!!
Rene'
Quoting Maxim Solodovnik <so...@gmail.com>:
> Here is the example as well:
> http://openmeetings.apache.org/RTMPSAndHTTPS.html
>
>
> On Wed, Apr 2, 2014 at 3:19 AM, Roberto Resoli <ro...@resolutions.it>wrote:
>
>> On 01 aprile 2014 22:14:20 CEST, Roberto Resoli <ro...@resolutions.it>
>> wrote:
>> >On 01 aprile 2014 22:07:34 CEST, Rene' Rosenbaum <re...@meecoda.de>
>> >wrote:
>> >>Hi,
>> >>not sure, but think this is rather an issue of the certificate itself
>> >>than the settings (in OM). Keep you guys posted ... Rene'
>> >
>> >I guess you need a keystore with a private key and a corresponding
>> >certificate. I have some experience in this, even if not om specific.
>> >
>> >Ask if you never setup a keystore for software signing.
>> >
>> >bye,
>> >rob
>>
>> In the meanwhile, some instructions from another project i work into (in
>> italian only atm, sorry):
>>
>> http://sourceforge.net/apps/trac/j4sign/wiki/HowtoSignCode
>>
>> rob
>>
>
>
>
> --
> WBR
> Maxim aka solomax
Re: Getting screensharing application signed
Posted by Maxim Solodovnik <so...@gmail.com>.
Here is the example as well:
http://openmeetings.apache.org/RTMPSAndHTTPS.html
On Wed, Apr 2, 2014 at 3:19 AM, Roberto Resoli <ro...@resolutions.it>wrote:
> On 01 aprile 2014 22:14:20 CEST, Roberto Resoli <ro...@resolutions.it>
> wrote:
> >On 01 aprile 2014 22:07:34 CEST, Rene' Rosenbaum <re...@meecoda.de>
> >wrote:
> >>Hi,
> >>not sure, but think this is rather an issue of the certificate itself
> >>than the settings (in OM). Keep you guys posted ... Rene'
> >
> >I guess you need a keystore with a private key and a corresponding
> >certificate. I have some experience in this, even if not om specific.
> >
> >Ask if you never setup a keystore for software signing.
> >
> >bye,
> >rob
>
> In the meanwhile, some instructions from another project i work into (in
> italian only atm, sorry):
>
> http://sourceforge.net/apps/trac/j4sign/wiki/HowtoSignCode
>
> rob
>
--
WBR
Maxim aka solomax
Re: Getting screensharing application signed
Posted by Roberto Resoli <ro...@resolutions.it>.
On 01 aprile 2014 22:14:20 CEST, Roberto Resoli <ro...@resolutions.it> wrote:
>On 01 aprile 2014 22:07:34 CEST, Rene' Rosenbaum <re...@meecoda.de>
>wrote:
>>Hi,
>>not sure, but think this is rather an issue of the certificate itself
>>than the settings (in OM). Keep you guys posted ... Rene'
>
>I guess you need a keystore with a private key and a corresponding
>certificate. I have some experience in this, even if not om specific.
>
>Ask if you never setup a keystore for software signing.
>
>bye,
>rob
In the meanwhile, some instructions from another project i work into (in italian only atm, sorry):
http://sourceforge.net/apps/trac/j4sign/wiki/HowtoSignCode
rob
Re: Getting screensharing application signed
Posted by Roberto Resoli <ro...@resolutions.it>.
On 01 aprile 2014 22:07:34 CEST, Rene' Rosenbaum <re...@meecoda.de> wrote:
>Hi,
>not sure, but think this is rather an issue of the certificate itself
>than the settings (in OM). Keep you guys posted ... Rene'
I guess you need a keystore with a private key and a corresponding certificate. I have some experience in this, even if not om specific.
Ask if you never setup a keystore for software signing.
bye,
rob
Re: Getting screensharing application signed
Posted by Rene' Rosenbaum <re...@meecoda.de>.
Hi,
not sure, but think this is rather an issue of the certificate itself
than the settings (in OM). Keep you guys posted ... Rene'
~~~~~~~
*Dr.-Ing. Rene' Rosenbaum
meeCoda^IT * - Consulting and Services
~: Neue Reihe 15, 18182 Goorstorf, Germany
#: ++49-(0)-1781408041
@:info@meecoda.de <ma...@meecoda.de>
//:www.meecoda.de <http://www.meecoda.de>
~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
On 4/1/2014 11:00 AM, Maxim Solodovnik wrote:
> I believe you need to perform steps similar to RTMPS settings to get your
> certificate available for signing
> On Apr 1, 2014 2:37 PM, "Rene' Rosenbaum" <re...@meecoda.de> wrote:
>
>> Hi Maxime,
>> thanks for your help! I took some code from 3.0 and merged it into the
>> build.xml. Works well from that point of view. However, it seems a specific
>> code signing certificate is necessary to get the code signed with an
>> individual fingerprint. An ordinary server certificate doesn't work
>> (according to the web community).
>> best regards,
>> Rene'
>>
>> ~~~~~~~
>> *Dr.-Ing. Rene' Rosenbaum
>> meeCoda^IT * - Consulting and Services
>> ~: Neue Reihe 15, 18182 Goorstorf, Germany
>> #: ++49-(0)-1781408041
>> @:info@meecoda.de <ma...@meecoda.de>
>> //:www.meecoda.de <http://www.meecoda.de>
>> ~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
>>
>> On 3/1/2014 6:34 PM, Maxim Solodovnik wrote:
>>
>>> I would use the server one.
>>> you need to create java keystore using it and put it instead of generated
>>> one into build folder
>>> then run
>>> ant -Dskip.sign.key.generation=true signWebStartJars
>>>
>>> (should work in 3.0/3.1, never tried it since i have no "real
>>> certificate")
>>>
>>>
>>> On Sun, Mar 2, 2014 at 12:29 AM, Rene' Rosenbaum <re...@meecoda.de> wrote:
>>>
>>> Hi Maxime,
>>>> thanks for your quick response! Found the location at build.xml, but not
>>>> sure what to do next. We got a server certificate for the domain
>>>> OpenMeetings is running, and I was under the impression I have to use
>>>> this
>>>> certificate to sign the WebStartJar. Or do I need a completely different
>>>> one (similar to the one used to communicate between red5 and the Flash
>>>> client (as described in /trunk/docs/RTMPSAndHTTPS.html))?
>>>> Cheers,
>>>> Rene'
>>>>
>>>> ~~~~~~~
>>>> *Dr.-Ing. Rene' Rosenbaum
>>>> meeCoda^IT * - Consulting and Services
>>>> ~: Neue Reihe 15, 18182 Goorstorf, Germany
>>>> #: ++49-(0)-1781408041
>>>> @:info@meecoda.de <ma...@meecoda.de>
>>>> //:www.meecoda.de <http://www.meecoda.de>
>>>> ~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
>>>>
>>>> On 3/1/2014 6:04 PM, Maxim Solodovnik wrote:
>>>>
>>>> hello Rene,
>>>>> current certificate being used is generated by ant (search build.xml for
>>>>> "genkey")
>>>>> 3.0/3.1 versions contains modifications for using different certificate
>>>>> for
>>>>> signing (manual steps are still required)
>>>>> I would recommend to check build.xml from the trunk then ask questions
>>>>>
>>>>>
>>>>> On Sat, Mar 1, 2014 at 11:26 PM, Rene' Rosenbaum <re...@meecoda.de>
>>>>> wrote:
>>>>>
>>>>> Dear all,
>>>>>
>>>>>> we are running OM 2.0 and made some modifications to the screensharing
>>>>>> application. May you please let me know how to sign this (Java)
>>>>>> application? We use SSL and would like to apply our own certificate
>>>>>> here.
>>>>>> As shown in the attachment, currently a certificate issued to Sebastian
>>>>>> is
>>>>>> used. Thanks a lot for your help in advance! Any bit of information
>>>>>> pointing us in the right direction is highly appreciated.
>>>>>> best regards,
>>>>>> Rene'
>>>>>> --
>>>>>>
>>>>>> ~~~~~~~*Dr.-Ing. Rene' Rosenbaum
>>>>>> meeCodaIT* - Consulting and Services
>>>>>> ~: Neue Reihe 15, 18182 Goorstorf, Germany
>>>>>> #: ++49-(0)-1781408041
>>>>>> @: info@meecoda.de
>>>>>> //: www.meecoda.de
>>>>>> ~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
>>>>>>
>>>>>>
>>>>>>
>>>>>>
Re: Getting screensharing application signed
Posted by Maxim Solodovnik <so...@gmail.com>.
I believe you need to perform steps similar to RTMPS settings to get your
certificate available for signing
On Apr 1, 2014 2:37 PM, "Rene' Rosenbaum" <re...@meecoda.de> wrote:
> Hi Maxime,
> thanks for your help! I took some code from 3.0 and merged it into the
> build.xml. Works well from that point of view. However, it seems a specific
> code signing certificate is necessary to get the code signed with an
> individual fingerprint. An ordinary server certificate doesn't work
> (according to the web community).
> best regards,
> Rene'
>
> ~~~~~~~
> *Dr.-Ing. Rene' Rosenbaum
> meeCoda^IT * - Consulting and Services
> ~: Neue Reihe 15, 18182 Goorstorf, Germany
> #: ++49-(0)-1781408041
> @:info@meecoda.de <ma...@meecoda.de>
> //:www.meecoda.de <http://www.meecoda.de>
> ~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
>
> On 3/1/2014 6:34 PM, Maxim Solodovnik wrote:
>
>> I would use the server one.
>> you need to create java keystore using it and put it instead of generated
>> one into build folder
>> then run
>> ant -Dskip.sign.key.generation=true signWebStartJars
>>
>> (should work in 3.0/3.1, never tried it since i have no "real
>> certificate")
>>
>>
>> On Sun, Mar 2, 2014 at 12:29 AM, Rene' Rosenbaum <re...@meecoda.de> wrote:
>>
>> Hi Maxime,
>>> thanks for your quick response! Found the location at build.xml, but not
>>> sure what to do next. We got a server certificate for the domain
>>> OpenMeetings is running, and I was under the impression I have to use
>>> this
>>> certificate to sign the WebStartJar. Or do I need a completely different
>>> one (similar to the one used to communicate between red5 and the Flash
>>> client (as described in /trunk/docs/RTMPSAndHTTPS.html))?
>>> Cheers,
>>> Rene'
>>>
>>> ~~~~~~~
>>> *Dr.-Ing. Rene' Rosenbaum
>>> meeCoda^IT * - Consulting and Services
>>> ~: Neue Reihe 15, 18182 Goorstorf, Germany
>>> #: ++49-(0)-1781408041
>>> @:info@meecoda.de <ma...@meecoda.de>
>>> //:www.meecoda.de <http://www.meecoda.de>
>>> ~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
>>>
>>> On 3/1/2014 6:04 PM, Maxim Solodovnik wrote:
>>>
>>> hello Rene,
>>>>
>>>> current certificate being used is generated by ant (search build.xml for
>>>> "genkey")
>>>> 3.0/3.1 versions contains modifications for using different certificate
>>>> for
>>>> signing (manual steps are still required)
>>>> I would recommend to check build.xml from the trunk then ask questions
>>>>
>>>>
>>>> On Sat, Mar 1, 2014 at 11:26 PM, Rene' Rosenbaum <re...@meecoda.de>
>>>> wrote:
>>>>
>>>> Dear all,
>>>>
>>>>> we are running OM 2.0 and made some modifications to the screensharing
>>>>> application. May you please let me know how to sign this (Java)
>>>>> application? We use SSL and would like to apply our own certificate
>>>>> here.
>>>>> As shown in the attachment, currently a certificate issued to Sebastian
>>>>> is
>>>>> used. Thanks a lot for your help in advance! Any bit of information
>>>>> pointing us in the right direction is highly appreciated.
>>>>> best regards,
>>>>> Rene'
>>>>> --
>>>>>
>>>>> ~~~~~~~*Dr.-Ing. Rene' Rosenbaum
>>>>> meeCodaIT* - Consulting and Services
>>>>> ~: Neue Reihe 15, 18182 Goorstorf, Germany
>>>>> #: ++49-(0)-1781408041
>>>>> @: info@meecoda.de
>>>>> //: www.meecoda.de
>>>>> ~~~~~~~~~~~~~~ +++ ~~~~~~~~~~~~~~~~
>>>>>
>>>>>
>>>>>
>>>>>
>>
>