Home > Archive > Java Help > March 2006 > Install Sun Certificate on Remote PC
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Install Sun Certificate on Remote PC
|
|
| bosticjames@yahoo.com 2006-03-24, 7:10 pm |
| I need to install a Sun Java certificate on a few thousand PCs in our
organization.
These PCs are members of an Active Directory, but unfortunately on a
large number of these we use non-administrator local logon credentials.
So I think any type of GPO might be out of the question (if I'm
wrong, please let me know).
I have full admin access to these boxes and I can run any type of
scripts I want. It seems as though when you install a Sun certificate,
you've got to install it as the user that is logged in. I was hoping
that I might be able to install it more on a global level for all
users. But I can't seem to figure out how to do that.
Since these users don't have admin access, I can't have them do
something and install it.
Also, (I know, dream world here), I was hoping I might be able to drop
the certificate on the remote PC, make a few registry changes, and have
it done. It doesn't seem that easy.
Any help you techies out there could give me, I sure would appreciate
it. I need some creative out of the box thinking.
Thanks,
James
| |
| Roedy Green 2006-03-24, 7:10 pm |
| On 24 Mar 2006 09:30:19 -0800, bosticjames@yahoo.com wrote, quoted or
indirectly quoted someone who said :
>I need to install a Sun Java certificate on a few thousand PCs in our
>organization.
Here's a thought. What if you simply replace the cacerts or .keystore
file on each machine with a corporate standard one. There is a
possibility none, or almost none, should contain a private cert. It is
just a file.
If Java won't let you do it, a small C program or script should.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.
| |
| bosticjames@yahoo.com 2006-03-27, 10:01 pm |
| Roedy,
Thanks for your input, I sure do like the idea. I've read some on
your web site, as well as many of your replies to other people... you
sure know your stuff. I on the other hand, don't when it comes to
these certificates. It's just something I haven't had to deal much
with.
I've tried to do some additional reading up on the subject, but
it's not getting much clearer. I don't think we're currently
using any private certs, so replacing the cacerts or .keystore file
might be a very valid solution. Here is the issue I have: when I
manually add the cert to one of my test PCs (Ctrl Panel | Java |
Security Tab | Certificates | Import), all of the cacerts and .keystore
files do not change. It's as though the Sun cert is doing something
else and not using those files. So either am I missing something here,
or would replacing one of the files do any good, giving the fact they
don't change?
The certificate that I'm importing is a .CSR file. That certificate
is for one of our new web applications. We do purchase quite a few
certs from VeriSign, but I don't know if this is one of them. Would
possibly using one of them solve this issue because it would already be
trusted? Since I have to import these through the Sun Java interface,
I don't know if that puts a kink in this.
Sorry for not knowing much about all of this, but I'm working on it.
Thanks,
James
| |
| Roedy Green 2006-03-27, 10:01 pm |
| On 27 Mar 2006 14:20:09 -0800, bosticjames@yahoo.com wrote, quoted or
indirectly quoted someone who said :
> Here is the issue I have: when I
>manually add the cert to one of my test PCs (Ctrl Panel | Java |
>Security Tab | Certificates | Import), all of the cacerts and .keystore
>files do not change. It's as though the Sun cert is doing something
>else and not using those files.
see http://mindprod.com/jgloss/keystore.html
http://mindprod.com/jgloss/cacerts.html
There are quite a few copies of these files floating around. You want
to make sure you are looking at the active ones.
Windows has its own certificate repository somewhere, probably buried
in the registry. It is possible Java sometimes uses that.
You might experiment by adding a installing a cert in IE and using
regmon/filemon to see where it goes, then looking with keystore to see
if Java can see it.
check out Mitch Gallant's site. He has done more experimenting than
anyone.
In a way I would hope my solution would fail. It should not be that
easy to totally defang the security sandbox. But I suppose, once you
have write access to the disk, you have the keys to the kingdom.
--
Canadian Mind Products, Roedy Green.
http://mindprod.com Java custom programming, consulting and coaching.
|
|
|
|
|