The GridShib-CA GridShibCA.jar Java Web Start client comes with a bundle of CAs (specifically the IGTF distribution) that it uses to verify the https certificate of the Apache instance in which the GridShib-CA server is running. If the certificate of that Apache instance is not in this bundle, the user will get unfriendly errors. This document describes the process of adding certificates to that jar without having to rebuild all the java code.
Note that an alternative, you can build the GridShib-CA from CVS. If doing so, put any new certificates to be trusted in
java/GridShibCAClient/trusted-https-certs/ and then rebuild the truststore ('
make truststore') and jar ('
WARNING: A number of java applications echo passwords to the screen as they are
typed, so be aware of this as you proceed and be wary of doing this
process in a public place.
For this process, you will need:
- A java keystore (in the default
- The following java applications: keytool, jar, jarsigner
Change to GridShib CA distribution directory
All of these commands assume you are running in the top-level directory created by GridShibCA tarball (typically "
" or something similar).
Add your CA certificate to trustStore
Now add your CA certificate to the truststore that comes with the GridShib CA distribution (should be in
). These directions assume your CA certificate is in a PEM formatted file called "myca-cert.0". The storepass argument is not used for anything, but has to be supplied to keytool, so a dummy value ("abcef") is used.
% keytool -import -keystore java/GridShibCAClient/resources/trustStore -noprompt -alias "MyCA" -storepass abcdef -file myca-cert.0
Certificate was added to keystore
You can repeat this step as needed to add multiple CA certificates (in case you want to use the same jar with multiple web servers), you just need to use a unique argument to -alias for each CA certificate.
Update GridShibCA jar
First, locate the jar file to which you need to add the certificate.
You can do that by looking for the definition of JAR_PATH in the
% grep ^JAR_PATH Makefile
JAR_PATH = java/GridShibCAClient/dist/GridShibCA-2.0.0.jar
Now update the GridShibCA jar file with the updated trust store.
Note: When you do this, you will break the signature on the jar (which we address in the subsequent step).
Note: The version number of the GridShib CA distribution is embedded in the jar filename, you will need to adjust it accordingly in the directions below.
% jar uf
Sign new jar file
Now resign the jar with your keystore. Use the password you created when you established the keystore (the "Export Password").
Note: This assumes your keystore is in the default location (
~/.keystore), if not add a "-
keystore /path/to/keystore" argument.
Note: For the subsequent install to work, the signed jar (first filename argument) must be the original location of the GridShibCA jarfile (i.e. the value of JAR_PATH in the Makefile).
% jarsigner -storetype pkcs12 -signedjar
Enter Passphrase for keystore:
Install new jar file
Now install your new jarfile. You probably need to be root to have appropriate permissions.
% sudo make install