cancel
Showing results for 
Search instead for 
Did you mean: 

Code Signing?

SOLVED
Johndenver120_
New Contributor

Code Signing?

Hi all,

I am trying to find out the right process for creating a Java code signing certificate for a SA2000 appliance. Do I use the New CSRÓ in Device Certificates or do I create it using Java Keytool? IÕm aware of how to import it once I have it and that it has to be Verisign or Thawte but I want to make sure I send the right CSR.

...Also do need this at all? Currently when clients connect with a Mac computer the security in Java 7 update 51 and 55 will not allow the self-sign cert of the SA appliance. Ive read it was fixed in SA update 7.1R17 and newer but we are running this update and they still cannot connect. I assume I need this Code-Signing certificate to sign the java applets. I would like to resolve this properly and not have clients lower java security or add an exception.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Kita_
Valued Contributor

Re: Code Signing?

Hello John,

 

The issue that was resolved in the latest release is specific to Juniper components (Network Connect, Host Checker, Juniper Setup Client, etc).  Juniper had to resign the following components correclty to meet the new Java requirements in Java 7 update 51+.  You should no longer experience any issues on the latest code.  If so, please open a JTAC ticket so we can help review the current problem.

 

If you are referring to java applets hosted on a backend resource or website through core access or the rewrite engine, you will need a code signing certificate.  You can follow the instructions on the Symantec/Verisign site to use Java keyool to create the keystore, csr and install the certificate from Symantec back to the keystore.  Once this is done, you can import this to the SA device.  For keytool instructions, please refer to https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR185&actp=LIST&vi...

View solution in original post

6 REPLIES 6
kalagesan_
Super Contributor

Re: Code Signing?

Hi,

 

I think you can use java key tool to generate  new Java code signing certificate.

 

The SA device supports the following types of code-signing certificates:


¥ Microsoft Authenticode Certificate - SA uses this certificate to sign applets that run on either MS JVM or
SUN JVM. Note that we only support Microsoft Authenticode Certificates issued by Verisign.

 

¥ JavaSoft Certificate - SA uses this certificate to sign applets that run on SUN JVM. Note that we only
support JavaSoft Certificates issued by Verisign and Thawte.

 

After creaing the codesigning certfiicate  you can use the below link to know the process of installing the code signing certificate, it is also dcoyumented in SA adminguide.

 

 

http://www.juniper.net/techpubs/software/ive/guides/howtos/How_To_Certificates.pdf


Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

 

Regards,
Kannan

 

Johndenver120_
New Contributor

Re: Code Signing?

Do you "think" or do you know? The certificate is a little too expensive to throw caution to the wind. Thats why I'm asking here first.

 

Also will the code-signing certificate solve the java security issue? 

SVK_
Regular Contributor

Re: Code Signing?

HI John,

 

Please correct me if I wrong.

 

If you are running 7.1R17, the code signing certificate on the device is valid till April 10th, 2015

 

Please refer the following KB

http://kb.pulsesecure.net/KB14058\


From your update I understand that you have been using a self signed certificate on the SA device. fixing this should resolve the issue.

 

First a https connection is attempted to SA to download the applet. once the applet is downloaded than the applet would be verified.

 

In this case the https connection would not be trusted as the device has a self siigned cert.

 

Regards,

SVK

 

 

Kita_
Valued Contributor

Re: Code Signing?

Hello John,

 

The issue that was resolved in the latest release is specific to Juniper components (Network Connect, Host Checker, Juniper Setup Client, etc).  Juniper had to resign the following components correclty to meet the new Java requirements in Java 7 update 51+.  You should no longer experience any issues on the latest code.  If so, please open a JTAC ticket so we can help review the current problem.

 

If you are referring to java applets hosted on a backend resource or website through core access or the rewrite engine, you will need a code signing certificate.  You can follow the instructions on the Symantec/Verisign site to use Java keyool to create the keystore, csr and install the certificate from Symantec back to the keystore.  Once this is done, you can import this to the SA device.  For keytool instructions, please refer to https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR185&actp=LIST&vi...

kalagesan_
Super Contributor

Re: Code Signing?

Hi John,

 

I am sure on what I replies

 

Regards,

Kannan

Johndenver120_
New Contributor

Re: Code Signing?

Thank you Kita (and everyone else). I think I have my answer!