Latest Release‎ > ‎

Adding CA Certificates To JWS Client

The GridShib CA Java Web Start Credential Retriever client contains a set of CA certificates that it uses to validate the https connection back to the web server from which it was launched.

XXX Note different behaviors here if UseBundledCAs is true or not in gridshib-ca.conf

If the CA certificate used to sign your web server's certificate is not in the shipped jar, your users will prompted to proceed.

To remove this prompt, you will need to add the CA for your web server certificate to the GridShib-CA jar file and then re-sign the jar file with a local signing credential. For the signing credential, any X.509 certificate and private key will do, though you want one with sufficiently long-live so that you don't have to re-sign the jar often (i.e. don't use a short-lived certificate from MyProxy or KCA, but a certificate with a year's lifetime).

1. Prerequisites

For this process, you will need:

  • The following java applications: keytool, jar, jarsigner

  • Your CA certificate in PEM format.

  • A signing credential to sign the new jar with your Webserver's CA.

  • The openssl application to convert your signing credential to PKCS12 format.

2. Warning

A number of java applications echo passwords to the screen as they are typed, so be aware of this as you proceed and be wary of doing this process in a public place.

3. Change to GridShib CA distribution directory

All of these commands assume you are running in the directory created by unpacking the GridShibCA tarball.

4. Convert signing credential to PKCS12

Convert the credential you will use to sign the new jar to PKCS12 format. In this case it is assumed the credential is in your ~/.globus directory with the default names (usercert.pem for the certificate and userkey.pem for the key) - if not you will need to adjust the following command accordingly. The first password you will be prompted for is the existing password for your private key. The second (and third) password you will be prompted for is a new password you create to protect the PKCS12 store (you can reuse your current private key password if you wish).

% openssl pkcs12 -export -in ~/.globus/usercert.pem \
-inkey ~/.globus/userkey.pem -name default \
-out mycred.pkcs12
Enter pass phrase for /Users/vwelch/.globus/userkey.pem:
Enter Export Password:
Verifying - Enter Export Password:

5. Add your CA certificate to trustStore

Now add your CA certificate to the trustStore that comes with the GridShib CA distribution. This command assumes your CA certificate is in a PEM formatted file called "myca-cert.0". The storepass is not used for anything, but has to be supplied to keytool, so a dummy value ("abcdef") is used.

% keytool -import -keystore resources/trustStore -noprompt \
-alias "MyCA" -storepass abcdef -file myca-cert.0
Certificate was added to keystore

You can repeat this step as needed to add multiple CA certificates (in case you want to use the same jar with multiple web servers), you just need to use a unique argument to -alias for each CA certificate.

6. Update GridShibCA jar

Now update the GridShibCA jar file with the updated trust store.  You should first UNsign the jar file by un-jarring the jar file, deleting several files, and re-jarring the file.  (Unsigning the jar is a requirement if you use a different keystore to sign the jar, but optional if you use the same keystore to sign the jar.)

Note: When you do this, you will break the signature on the jar (which we address in the subsequent step).

Note: The version number of the GridShib CA distribution is embedded in the jar filename, you will need to adjust it accordingly in the directions below.

In the directory containing the GridShibCA-2-0-0.jar file, do the following commands.
% mkdir temporary
% cd temporary
% jar xvf ../GridShibCA-2-0-0.jar
% rm -f META-INF/*.{DSA,RSA,SF}
% jar cvf ../GridShibCA-2-0-0.jar.modified .
% cd ..
% rm -rf temporary
% jar uf GridShibCA-2-0-0.jar.modified resources/trustStore

7. Sign new jar file

Now resign the jar with the PKCS12 store you created in step two. Use the password you created in step two (the "Export Password").

% jarsigner -keystore mycred.pkcs12 -storetype pkcs12 \
-signedjar GridShibCA-2-0-0.jar \
GridShibCA-2-0-0.jar.modified default
Enter Passphrase for keystore:

8. Install new jar file

Now install your new GridShibCA jar.

% make install