Resigning JavaScript Code for Mozilla and Firefox Browsers

Topic Last Modified: 2009-02-27

With the Firefox browser, the JavaScript code for notifications, including incoming instant messaging (IM) desktop alerts and the flashing Communicator Web Access item in the taskbar, must be signed. By default, this code is signed using a certificate supplied by Microsoft.

If you prefer, you can re-sign the JavaScript code either with a certificate provided by a trusted third-party certification authority (CA) or with a private certificate. If you obtain the JavaScript signing certificate from a trusted third-party CA, no additional client-side configuration is required. If you obtain the signing certificate from a private or self-hosted CA, clients may need to be updated to trust the CA that issued the certificate.

Setup for Communicator Web Access installs a Java Archive (.jar) file in the following path, where client version is the version of the build:

<installation path>\Server\cwa\client\<client version>

When you re-sign the JavaScript code, you create a new Java archive (.jar) file that contains the script file and related signing information and that replaces the existing Java archive file. If you re-sign the JavaScript code more than once, the existing Java archive file is replaced each time and Communicator Web Access uses the most recent archive file.

If you are using a private or self-hosted CA, the certificate should use the Code Signing certificate template.

The following steps outline one method for re-signing the JavaScript by using the JavaScript certificate signing tools that are provided by the Mozilla browser.

Before you begin this procedure, you must obtain the following certificate signing tools, which are available at http://www.mozilla.org/projects/security/pki/nss/tools:

  • Certutil. Manages certificates and private keys. You can use Certutil to create a certificate database, create a private key database, and add a certificate to the certificate database.
  • Pk12util. Imports a certificate and private key pair file (also called a personal information exchange file) into the database that was created by Certutil.exe.
  • Signtool. Signs an HTML page with a certificate and private key in the database.

Note

The Mozilla Web site provides only the source code for these tools. You have to build the executable files yourself.
You also need to ensure that the folder where you install the executable files is in the default path for your computer so that you can easily run the tools from a command prompt.

If you use a private or self-hosted CA, you need to ensure that the clients’ browsers import the certificate chain so that the signed JavaScript code will be trusted. On a large scale, this process can be easier if the CA provides a Web site that allows users to sign on and request updated certificates.

To re-sign the JavaScript for a Mozilla browser

  1. Log on to the Communicator Web Access server as a member of the Administrators group.

  2. Create a folder (referred to in the following steps as <database_folder>), which will store database files that are created by commands in the rest of this procedure.

  3. Open a Command Prompt window by clicking Start, and then clicking Run. In the Open box, type cmd, and then click OK.

  4. Run Certutil.exe to create a certificate database by typing the following at the command prompt, and then pressing ENTER:

    certutil.exe -N -d <database_folder>

  5. When you are prompted for a password, type a password that you want to use to control access to the certificate database.

  6. Apply for a certificate and private key pair file from a trusted third-party CA or from a private or self-hosted CA. For details about applying for a certificate, contact the certification authority. If the certificate that you receive is saved in the local computer’s certificate store, export the certificate and private key into a .pfx file.

  7. Run the Pk12util.exe to import the certificate and private key file into the database that you created. At the command prompt, type the following, and then press ENTER:

    pk12util.exe -i <cert/key file> -d <database_folder >

  8. Obtain the root CA certificate by copying or downloading the certificate file according to the instructions provided by your CA.

  9. Run Certutil.exe to add the CA certificate to the database. You must specify a nickname for the CA certificate. At the command prompt, type the following all on one line, and then press ENTER:

    certutil.exe -A -n <certificate nickname> -i <CA certificate> -t "C,C,C" -d <database_folder >

  10. Run Certutil.exe to list all certificates in the database. From this list, you can obtain the name of the certificate that you will use in the next step. At the command prompt, type the following, and then press ENTER:

    certutil.exe -L -d <database_folder >

  11. Run Signtool.exe to sign the JavaScript code by using the certificate. At the command prompt, type the following all on one line, and then press ENTER:

    Signtool -k <certificate name> -Z <installation path>\Server\cwa\client\<client version>\SignedCode.jar -p <database password> -d <database directory> <installation path>\Server\cwa\client\clientversion\SignedCode

    After you run this command, the new Java archive file that includes the script file and related signing information replaces the default Java archive file.