Java Webstart: howto share certificate with users

Question

I developed an application that uses Java Webstart. It needs write access to the disk so it has to be signed, but it would only be used by a limited group of users so I don\

Answer 1

In this scenario, it may be sufficient to check the SHA1 fingerprint associated with the self-signed certificate used to sign the JAR:

• Sign the JAR with your self-signed certificate.

• Use keytool -v -list to determine your certificate's fingerprint.

• Communicate the certificate's fingerprint in a mutually agreed way.

• Instruct user's to add your secure site to the Exception Site List in the Security tab of the Java Control Panel; this allows the user to retain the minimum recommended security level setting, High.

• At the security prompt, click on More Information to compare the communicated fingerprint with the one received.

This approach does not confer trust, but it reduces the risk of the user accepting an altered JAR.

Addendum: The article Self-signed certificates for a known community discusses how to export a self-signed certificate. Members of the community can then import the certificate as warranted.