Java Code Signing: Generating a CSR
Print this Article
Last Updated:
November 3, 2014 12:30 PM
As of Jan. 2014, all Java apps running in Web browsers require code signing certificates. After you purchase a code signing certificate, you must sign your Java code.
Several tools are required to package and sign Java code, including keytool, jar and jarsigner. Beginning with JDK 5.0, jarsigner can generate signatures that include a time stamp, allowing validation that the JAR file was signed while the code signing certificate was still valid.
Approach 1 - Request a New Code Signing Certificate
- If necessary, download JDK from the following link:
http://java.sun.com/javase/downloads/index.jsp - Request a Code Signing Certificate from Starfield Technologies.
- Create a new key store. A key store is a place where secure certificates are stored. This example will create a custom key store named "codesignstore" to be used only for a code signing certificate and the associated private key.
keytool -genkey -alias codesigncert -keypass
-keyalg RSA -keysize 2048 -dname "CN=displayname,O=companyname,C=US,ST=state,L=city" -keystore codesignstore -storepass - Create a Certificate Signing Request (CSR). A private key will be created and stored in the key store named "codesignstore". A CSR file named "mycsr.pem" will be created in the current working directory.
keytool -certreq -v -alias codesigncert -file mycsr.pem -keystore codesignstore
- Purchase a code signing certificate.
- Click on the purchased code signing certificate credit in "My Account". This will take you to the Starfield Secure Certificate Services Account Management web application. The CSR generation method must be set to manual on the request form for the CSR field to be visible.
- Submit CSR as part of the code signing request.
- After opening the file "mycsr.pem" in an editor, copy and paste the entire content of the file (including the lines containing "BEGIN NEW CERTIFICATE REQUEST" and "END NEW CERTIFICATE REQUEST") into the appropriate section of the code signing request form.
- The company information you have supplied will be verified. The Registration Authority (RA) may contact you to provide additional information, if required.
- Once the code signing certificate has been issued, you will receive an email message with a link to download the certificate file and any associated intermediate certificates.
- Create a new key store. A key store is a place where secure certificates are stored. This example will create a custom key store named "codesignstore" to be used only for a code signing certificate and the associated private key.
- Install the code signing certificate, in the same key store created earlier. The following example expects the code signing certificate file to be named "mycert.cer". The certificate file is expected to be in the current working folder and in PKCS#7 format.
keytool -import -trustcacerts -keystore codesignstore -storepass
-alias codesigncert -file mycert.cer - Sign the JAR file using jarsigner, using the code signing certificate and the private key
jarsigner -verbose -keystore codesignstore -storepass
-keypass myapp.jar codesigncert - 'codesignstore' is an alias to the key store where the code signing cert, the private key and all other certificates in the chain are contained.
- The unsigned input file name is "myapp.jar" and will be overwritten with the signed version of the file. Use the "-signedjar" command line option to specify separate input and output file names.
- 'codesigncert' is an alias to the private key in the key store.
jarsigner -verbose -keystore codesignstore -storepass-keypass -tsa http://tsa.starfieldtech.com/ myapp.jar codesigncert - Verify the signed JAR file
jarsigner -verify -verbose -certs myapp.jar
- Distribute the code
Approach 2 - Use Existing PKCS#12 File, Containing Both Code Signing Certificate and Private Key
- If necessary, download JDK from the following link:
http://java.sun.com/javase/downloads/index.jsp - Verify that the PFX/P12 file can be used with jarsigner. Execute the following command, the alias name required in step 5 will be displayed near the top of the output:
keytool -list -storetype pkcs12 -keystore mycert.pfx -v
- Create a JAR file from Java class files, using the jar tool:
jar cvf myapp.jar myapp.class
- Sign the JAR file using jarsigner, using the code signing certificate and the private key:
jarsigner -storetype pkcs12 -keystore mycert.pfx myapp.jar "aliasname"
- "mycert.pfx" is the full path to the PFX/P12 file containing the code signing certificate and the private key. The file should also include all intermediate certificates.
- "aliasname" is displayed in the output of step 2, near the top. If the PFX/P12 file was exported from Windows, the alias name will effectively be a GUID.
- When prompted, enter the password associated with the private key in the PFX/P12 file. You may also include the "-storepass" option to specify the password on the command line.
- The unsigned input file name is "myapp.jar" and will be overwritten with the signed version of the file. Use the "-signedjar" command line option to specify separate input and output file names.
jarsigner -storetype pkcs12 -keystore mycert.pfx -tsa http://tsa.starfieldtech.com/ myapp.jar "aliasname" - Verify the signed JAR file
jarsigner -verify -verbose -certs myapp.jar
- Distribute the code
Links