Home > Uncategorized > Add a self signed certificate to the JRE certificate store and distribute to clients

Add a self signed certificate to the JRE certificate store and distribute to clients

Self-signed certificates and elevated access:
If you are receiving “CertificateException: Your security configuration will not allow granting permission to self signed certificates,” then the setting deployment.security.askgrantdialog.notinca=false or “Enable granting elevated access to self-signed apps” is unchecked. Unfortunately, there is no way to whitelist certain self-signed applications by certificate, and in order to grant elevated access to self-signed apps, you must do so universally for all apps. I’d like to see this feature in the future, as support for certificate pinning is simply a good idea.

Also if you receive “The publisher cannot be verified by a trusted source. Code will be treated as unsigned,” you may want to import the public certificate that the JAR was signed with.

Obtain the certificate:
1) Start the JAR file as you would normally. You will be prompted with a warning “Do you want to run this application? The application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the publisher.”
2) Check off “I accept the risk and want to run this application.”
3) Expand “Show Options” and check off “Always trust content from this publisher”, then click “Run” to store the self-signed certificate in the local store.

Add the certificate(s) to the Java store:
1) Change (or don’t) the default keystore password:
The password below is noted as new_JRESTOREPASS which must be changed.

"%programfiles%\Java\jre7\bin\keytool.exe" -storepasswd -keystore "%programfiles%\Java\jre7\lib\security\cacerts" -new new_JRESTOREPASS

2) List the current keys’ checksums/thumbprints that are located within the keystore:

"%programfiles%\Java\jre7\bin\keytool.exe" -list -keystore "%programfiles%\Java\jre7\lib\security\cacerts"

You could try to grep for the MD5 for the certificate you exported earlier.

3) You can then use Group Policy Preferences to distribute the certificate store to client machines: “%programfiles%\Java\jre7\lib\security\cacerts”


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: