Getting a Java Code Signing is more of a manual process compared to Microsoft Authenticode/Office-VBA Code Signing.
Java Code Signing is used for signing Java applications for desktops, digitally sign .jar files and Netscape Object Signing. Recognized by Java Runtime Environment (JRE).
The following instructions are a supplemental guide into generating and configuring a keystore necessary for Java Code Signing. If you have not already done so, you will need to download the Java Software Development Kit (SDK) from Oracle. If you have any questions or assistance in implementing the Java SDK for best support contact Oracle.
Unlike other types of code signing in order to get a Java Code Singing Certificate you will need to use the keytool utility to create and configure a keystore .jks. Keep your keystore safe and make backup copies. If you lose your keystore file, or your password to access it you will need start from scratch by generating a new keystore and perform a replace the certificate.
This article will go over the following:
- Step 1 – Create a Keystore
- Step 2 – Generating a CSR needed for enrollment for your Java Certificate.
- Steps 3 & 4 – Installing the Java Certificate after its issuance.
In order to create and configure your Keystore for Java Code Signing perform the following.
Step 1: Create a Keystore:
- Create a certificate keystore and private key by executing the following command:
Note: You will specify a Privatekey Alias. This Alias will be used for CSR creation and eventually installation of the Java Code Signing Certificate.
keytool -genkey -alias create_Privatkey_Alias -keyalg RSA -keystore path_and_create_KeystoreFilename.jks -keysize 2048
- Enter and re-enter a keystore password.
Note: Remember your Alias Name and your password for your private key. You will require it for installation!
- Fill out the applicable information:
- First and Last Name? or Common Name (CN): With java code signing the common name of the certificate is is your Organization Name .Example: XY & Z Corporation would be XYZ Corporation
- Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation
- Locality or City (L): The Locality field is the city or town name, for example: Boston
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: New York
- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- Confirm or reject the details by typing “Yes” or “No” and press Enter.
Step 2: Creating your CSR from your keystore:
Now that your keystore has been created you can now generate your CSR from it. Use the following command to create your CSR from your Keystore.
keytool -certreq -keyalg RSA -alias your_privatekey_alias -file your_csr_file.csr -keystore your_keystore_filename.jks
- Create a copy of the keystore file. Having a back-up file of the keystore at this point can help resolve installation issues that can occur when importing the certificate into the original keystore file.
- To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
Your CSR request for your Java Code Signing Certificate has been created and is ready for you to copy and paste its contents into the enrollment portal when enrolling for a Java Code Signing certificate.
Step 3: Picking up your Java Certificate:
- After validation the Java Certificate will be sent to the Technical Contact via email. You will see your Java certificate in the body of that email.
- Copy the Java Certificate and make sure to copy the —–BEGIN PKCS7 CERTIFICATE—– and —–END PKCS7 CERTIFICATE—– header and footer. Ensure there are no white spaces, extra line breaks or additional characters.
- Use a plain text editor such as Notepad, paste the content of the certificate and save it with extension .p7b (When performing this on a Windows system the Icon of the file should change into a certificate icon)
Step 4: Installing your SSL certificate:
It is recommended that you have your Keystore, SSL certificate and Keytool.exe in the same folder or you will need to specify the full file path when running the following commands. you may want to make a copy of your Keystore in case their are issues with Installation.
- Import the SSL certificate into the keystore used for CSR creation.
Note: Use the same Privatekey alias name based on when you created the keystore for CSR creation.
Note: If you forget your alias you can always perform the following Command to find out the Alias that was used for the private key entry. Keytool -v -list -keystore your_keystorename.jks you will see a bunch of information at the top you will see a line stating “Alias” and the alias that was used when the keystore/private key was first created.
keytool -import -alias your_Privatekey_alias -trustcacerts -file your_SSL_Certificate.p7b -keystore your_keystorename.jks
- You will be prompted to enter the password to access the keystore.
Note: If you do not know your password you will have to start from scratch by generating a new keystore, a new csr, and perform a reissue of the certificate.
If the installation is successful you will see “Certificate reply was installed in keystore”.
Your Java Certificate should now be installed and configured into its keystore. With this configured keystore you will Sign your Java Code.
For actual signing procedures and information on how to code view Oracles Tech notes using Jarsigner.
If you are unable to use these instructions, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.
Oracle Java Support
For more information refer to Java.