Download and Install the New Root and Intermediate Certificates for the Java Management Console Launcher
search cancel

Download and Install the New Root and Intermediate Certificates for the Java Management Console Launcher

book

Article ID: 270160

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG SG-VA ASG-S200 ASG-S400 ASG-S500 SG-S200 SG-S200-40 SG-S200-RP SG-S400 SG-S400-RP SG-S500 SG-S500-RP

Issue/Introduction

The JAR signing certificate for the legacy Java Management Console and the Management Console Launcher of the Edge SWG (ProxySG) appliance has been updated. You might need to update the trust store for the version of Java that your system uses to run the Management Console and Launcher.

If you don’t update the trust store, you might see error messages or warnings that say the application is blocked or that the code was signed with an untrusted certificate.

Error: Application Blocked by Java Security

Warning: Publisher UNKNOWN, Running this application may be a security risk.

Environment

This article applies to the following versions of SGOS:

  • SGOS 6.7.5.24 and later
  • SGOS 7.3.14.3 and later

Because 7.4.x does not support the Java Management Console, this article does not apply to 7.4.x versions.

Resolution

  1. Download the certificates from the following links:
    Note: For more information on these certificates, see https://www.digicert.com/kb/digicert-root-certificates.htm.
    • DigiCert CS ECC P384 Root G5
      https://cacerts.digicert.com/DigiCertCSECCP384RootG5.crt.pem
      Serial #: 03:69:8F:E7:12:D5:19:F3:CE:D0:FD:B7:B1:64:30:11
      SHA1 Fingerprint: 84:35:73:11:2A:3B:31:93:44:E5:E4:EC:AB:C9:F2:6C:7C:D5:4D:07
      SHA256 Fingerprint: 26:C5:6A:D2:20:8D:1E:9B:15:2F:66:85:3B:F4:79:7C:BE:B7:55:2C:1F:3F:47:72:51:E8:CB:1A:E7:E7:97:BF
    • DigiCert G5 CS ECC SHA384 2021 CA1
      https://cacerts.digicert.com/DigiCertG5CSECCSHA3842021CA1.crt.pem
      Issuer: DigiCert CS ECC P384 Root G5
      Serial #: 0D:92:68:18:AD:DD:3C:47:75:8F:0A:CE:93:79:B2:E7
      SHA1 Fingerprint: 23:1A:CD:67:87:B5:41:F5:59:0D:94:3D:F2:58:56:9D:7C:6A:02:CE
      SHA256 Fingerprint: ED:AE:CE:94:C3:C0:F7:C3:23:93:12:EA:AF:B7:F6:D4:99:41:0A:55:D0:E0:08:CB:6A:64:77:9D:AD:3A:19:98

  2. If your system has multiple versions of Java installed, determine the version of Java that the launcher is using. You must install the new certificates to the cacerts file of the version of Java that the launcher is using. If you do not install the certificates to the correct version, your system might display warnings and block you from accessing the Management Console. To get to the correct Java version, you might have to navigate through multiple levels of links. because some systems have links to the Java file, keytool file, and other files preceding the version.

    Windows

    Java program files are typically located in the folder C:\Program Files (x86)\Java\

    Linux

    The following example is of a system with multiple levels of links preceding the version. 
    root# which java
    /usr/bin/java
    root# ls -al /usr/bin/java
    lrwxrwxrwx 1 root root 22 Oct  1  2019 /usr/bin/java -> /etc/alternatives/java
    root# ls -al /etc/alternatives/java
    lrwxrwxrwx 1 root root 43 Jun 28 22:32 /etc/alternatives/java -> /usr/lib/jvm/java-11-openjdk-amd64/bin/java
    In this example, the base Java install directory is /usr/lib/jvm/java-11-openjdk-amd64. Because the cacerts file is usually in lib/security, you can query lib/security to list its contents to determine the Java version:
    root# cd /usr/lib/jvm/java-11-openjdk-amd64/lib/security/
    root# ls
    blacklisted.certs  cacerts         public_suffix_list.dat
    blocked.certs      default.policy
  3. Install the certificates:

    Windows

    1. Run a Command Prompt with Administrator permissions.
    2. Navigate to the bin folder for your jre version. The jre folder may have a version-specific name if multiple versions of Java have been installed on the system (for example, jre1.8.0_361). 
      cd "C:\Program Files (x86)\Java\jre-1.8\bin"
    3. Install the certificates, replacing the file path to the downloaded certificates from step (1). 
      keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias DigiCertCSECCP384RootG5 -file "C:\Users\testuser\Downloads\DigiCertCSECCP384RootG5.crt.pem"
      keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias DigiCertG5CSECCSHA3842021CA1 -file "C:\Users\testuser\Downloads\DigiCertG5CSECCSHA3842021CA1.crt.pem"
      Note The default Java certificate store password is changeit. Replace the password in the command if this has been changed in your environment.


    Linux

    • For Java 11 and later, use the Java keytool utility: 
      keytool -import -cacerts -alias DigiCertCSECCP384RootG5 -file DigiCertCSECCP384RootG5.crt.pem
      keytool -import -cacerts -alias DigiCertG5CSECCSHA3842021CA1 -file DigiCertG5CSECCSHA3842021CA1.crt.pem
    • For Java 8, change to the directory that contains the cacerts file for the Java version in use.
      keytool -import -keystore cacerts -alias DigiCertCSECCP384RootG5 -file DigiCertCSECCP384RootG5.crt.pem
      keytool -import -keystore cacerts -alias DigiCertG5CSECCSHA3842021CA1 -file DigiCertG5CSECCSHA3842021CA1.crt.pem
      Note  If the installation is unsuccessful, the import commands return an error.

  4. Validate that the appliance installed the certificates by listing the contents of the keystore and searching for the alias you added. The following example shows the certificates were successfully added: 
    root# keytool -list -cacerts | grep -i DigiCertCSECCP384RootG5

    digicertcseccp384rootg5, Jul 17, 2023, trustedCertEntry,
    root# keytool -list -cacerts | grep -i DigiCertG5CSECCSHA3842021CA1

    digicertg5cseccsha3842021ca1, Jul 17, 2023, trustedCertEntry,
    If the certificates were successfully installed, each command should match to the appropriate alias.
Powered by Wolken Software