The GridShib CA Java Web Start Credential Retriever client contains a set of CA certificates that it uses to validate the https connection back to the web server from which it was launched.
XXX Note different behaviors here if UseBundledCAs is true or not in gridshib-ca.conf
If the CA certificate used to sign your web server's certificate is not in the shipped jar, your users will prompted to proceed.
To remove this prompt, you will need to add the CA for your web server certificate to the GridShib-CA jar file and then re-sign the jar file with a local signing credential. For the signing credential, any X.509 certificate and private key will do, though you want one with sufficiently long-live so that you don't have to re-sign the jar often (i.e. don't use a short-lived certificate from MyProxy or KCA, but a certificate with a year's lifetime).
For this process, you will need:
A number of java applications echo passwords to the screen as they are typed, so be aware of this as you proceed and be wary of doing this process in a public place.
All of these commands assume you are running in the directory created by unpacking the GridShibCA tarball.
Convert the credential you will use to sign the new jar to PKCS12 format. In this case it is assumed the credential is in your ~/.globus directory with the default names (usercert.pem for the certificate and userkey.pem for the key) - if not you will need to adjust the following command accordingly. The first password you will be prompted for is the existing password for your private key. The second (and third) password you will be prompted for is a new password you create to protect the PKCS12 store (you can reuse your current private key password if you wish).
% openssl pkcs12 -export -in ~/.globus/usercert.pem \
Now add your CA certificate to the trustStore that comes with the GridShib CA distribution. This command assumes your CA certificate is in a PEM formatted file called "myca-cert.0". The storepass is not used for anything, but has to be supplied to keytool, so a dummy value ("abcdef") is used.
% keytool -import -keystore resources/trustStore -noprompt \
You can repeat this step as needed to add multiple CA certificates (in case you want to use the same jar with multiple web servers), you just need to use a unique argument to -alias for each CA certificate.
Now update the GridShibCA jar file with the updated trust
store. You should first UNsign the jar file by un-jarring the jar file, deleting several files, and re-jarring the file. (Unsigning the jar is a requirement if you use a different keystore to sign the jar, but optional if you use the same keystore to sign the jar.)
In the directory containing the GridShibCA-2-0-0.jar file, do the following commands.
% mkdir temporary
Now resign the jar with the PKCS12 store you created in step two. Use the password you created in step two (the "Export Password").
% jarsigner -keystore mycred.pkcs12 -storetype pkcs12 \
Latest Release >