Renewing expired self signed certificate for Adobe AIR application
Adobe AIR applications are signed with a digital certificate that offers assurance to the end user that the application is from a trustworthy publisher. Certificates can be obtained from trusted certificate authorities or self signed by you, the developer. Certificates from a trusted certificate authorities offer a higher level of confidence to the user that the application is coming from a trustworthy publisher and is unlikely to be malicious. Unfortunately this is costly and comes with more friction in the setup process than using your own self signed certificate. Applications that use a self signed certificate come with a greater risk to the end user as the publishers reputation is not verified. However, due to cost and ease of setup, when developing bespoke solutions to a closed audience it is desirable to use a self signed certificate. By default a self signed certificate will expire after 365 days and when trying to install an application with an expired certificate the error message below will be displayed to the user.
In order to make the installation work again the application needs to be packaged with a new certificate. Unfortunately doing this will mean existing installations will not be able to update, forcing the user to manually uninstall before installing the new application. This a big problem for applications that auto update as this process will no longer work. To solve this issue the AIR developer tool (ADT) has a
-migrate command to make the new package aware of the old certificate, which means the application can now update with no extra effort for the user.
The rest of this post will walk through how to create a new certificate for the application to be packaged with and allow existing applications to update using the newly packaged application.
The first step is to create a new certificate using the
certificate command in ADT. ADT is a command line tool that can be found in the
bin directory of the AIR SDK. The command below is using the minimal command arguments required in order to create a certificate file named
adt -certificate -cn MyCertificateName 2048-RSA MyKeyName.p12 MyKeyPassword
Lets that a look at the different parts of the command above. The
-certificate argument is instructing ADT to use the certificate command. The next argument is the common name, which should be a identifiable name for the certificate. The next argument defines the key type which can either be
2048-RSA, the only difference is that
2048-RSA provides a higher level of security. Next is the path where the certificate should be located, in the example command the certificate will be placed in the same directory as the
adt executable because only the filename is specified. The last argument is the password for the certificate that is used when using the certificate to package an application.
Package the application with the new certificate is the next step. You can use the Flash Builder IDE to create a package of the application, however using the command line to package is a desirable approach as it means the process can be easily automated. To package an application the ADT tool is used again but using the package command, as shown below.
adt –package -storetype pkcs12 -keystore MyKeyName.p12 -storepass MyKeyPassword MyApp.air MyAppDescriptor-app.xml myApp.swf
The first section of the command above defines the type of certificate, the path to the certificate and then the password to the certificate that was used in the previous command. The second section defines the file path of the output package from the command, the application description file that defines basic properties about the application and finally the compiled Flash file that should be packaged up.
Now that the application has been packaged with the new certificate it will can now be installed by end users. However, as mentioned earlier existing users won't be able to update their installations without manually uninstalling the application before installing the package. To make the update capable the ADT
migrate command needs to be used as shown below.
adt –migrate -storetype pkcs12 -keystore MyExpiredKeyName.p12 -storepass MyExpiredKeyPassword MyApp.air MyMigratedApp.air
In order to run the migrate command the expired certificate is required, this is defined after the the
-migrate command flag. Following that first is the packaged application that was the output of the previous
package command. The final argument is the file path for the output of the migrate, which will be the package that is distributed to end users. This package can be freshly installed by the user or update an existing application meaning any applications that auto update can still perform that feature.