Root Certificate Installer

This essay is about a suggested student project in Java programming. This essay gives a rough overview of how it might work. It does not describe an actual complete program. I have no source, object, specifications, file layouts or anything else useful to implementing this project. Everything I have to say to help you with this project is written below. I am not prepared to help you implement it; I have too many other projects of my own.

I do contract work for a living, which could include writing a program such as this. However, I don’t do people’s homework for them. That just robs them of an education.

You have my full permission to implement this project any way you please.

The Problem

Manually updating root certificates is time consuming and too difficult for the average user to perform without error. Automating the process ensures it is done correctly and to the correct files.

Users need the most recent root certificates in order to use Applet or a Java Web Start code signed by recently issued code-signing certificates or ones signed by certificates from obscure companies whose root certificates are not included in the Sun distribution.

Without wide distribution of the corresponding root certificate to all the software users, a purchased code-signing certificate behaves just like a self-signed phony one.

In particular the Thawte Code Signing CA.cer root certificate is not part of the Java 1.4 JRE distributution.

Purpose

This project has three purposes:

Allow technopeasants to easily update the root signing authority certificates in their cacerts Java list of signing authorities file. All they have to do is click a single button in their browser.
To revoke certificates that for some reason are no longer valid.
To allow automated insertion of self-signed certificates in cacerts files.
To install purchased certificates in client’s cacerts.

The main users of the first two functions would be the signing authorities themselves, such as Thawte and Verisign. Users could safely update root certificates by just clicking a icon on their website.

It may even be possible to get all your root certificates from all the signing authorities updated in one go from a trusted third party. In the worst case you would have to visit each signing authority’s website, and run their version of the application.

I propose writing a generic fully automated root certificate updater called inject.

How does it work?

The program is a Java Web Start Application signed with a real certificate, ideally by the certificate authority itself to attest that the root certificates it installs are indeed the real ones.

The program has no user interface, other that perhaps to ask for final confirmation and a display of how successful it was. The user does not have to answer any questions, much less complicated ones.

It uses the Java Security API or exec to launch native utilities to make the necessary modifications. Ideally it would be completely platform independent.

The program finds the current cacerts file and updates it. It can scan for others and optionally update them too.

A more difficult challenge would be to also update the root certificate databases in the various browsers such as Opera, Mozilla, Netscape and Internet Explorer.

For ultra security, Sun and the root certificate authorities could jointly invent a special sort of certificate that enables a program signed with it to meddle with the cacerts file, but only of that company.

cacerts
certificate
keytool

Summary

Those concerned with high security would not want to trust such a black box to update their certificates, but for the majority of users, they would vastly prefer the convenience and simplicity.

Mitch Gallant has an Applet for updating root certificates. However it creates a new cacerts file and leaves the original intact. It is designed as a programmer’s tool rather than something for technopeasants.

Certificate Viewer

certifcate
El Cheapo Certicate Authority Student Project
El Cheapo Certificate Authority Student Project
keyman
keytool

	Please email your feedback for publication, errors, omissions, broken/redirected link reports and suggestions to improve this page to Roedy Green :
	Canadian Mind Products
	mindprod.com IP:[65.110.21.43]
	Your face IP:[38.103.63.16]
	You are visitor number 7,632.
	You can get a fresh copy of this page from:	or possibly from your local J: drive (Java virtual drive/Mindprod website mirror)
	http://mindprod.com/project/rootcertinstaller.html	J:\mindprod\project\rootcertinstaller.html