I am attempting to deploy a JNLP file to a server, enabling clients to download my Java application for use on their machine. I have purchased an open source certificate from Certrum as suggested by this post
I followed the instructions in the post above to export my pem file as a pfx via chrome, sign my jar , and i also added a -tsa flag to timestamp the jar. Here are the commands i used to sign/verify the jar using the exported pfx file:
keytool -list -v -storetype pkcs12 -keystore Certificates.p12
jarsigner -storetype pkcs12 -keystore Certificates.p12 Application.jar "cservices.certum.pl" -tsa http://timestamp.comodoca.com/rfc3161
jarsigner -verify Application.jar
This gives me the following output:
jar signed
jar verified.
Warning: This jar contains entries whose certificate chain is not validated.
Re-run with the -verbose and -certs options for more details.
Now when I deploy and download the software to my machine Java is still telling me that I cannot open the app as it is self-signed and therefore a security risk.
How can i validate my certificate chain? is that the error causing my security issue?
Below is my Application.jnlp file deployed to my tomcat server
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://[url]/" href="Application.jnlp">
<information>
<title>Application</title>
<vendor>vendor</vendor>
<homepage href="http://localhost:8080/" />
<description>Testing Testing</description>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.8+" />
<jar href="Application.jar" />
</resources>
<application-desc main-class="com.me.Application" />
</jnlp>
