In Java, the process for setting up your DigiCert Code Signing Certificate consists of creating a Java keystore and a Certificate Signing Request (CSR) and then, installing your DigiCert generated code signing certificate file to the Keystore file from where the CSR was generated.
Java CSR Creation and Codes Signing Certificate Installation
Before using these instructions, make sure that the Java Development Kit (JDK) is installed on your server or local computer. You can run the commands in this instruction wherever you have the keytool command available.
After creating your CSR, make sure that you keep track of your keystore file because it contains your private key. In addition, you need the keystore file to install your DigiCert® Code Signing Certificate.
If you plan to run the commands in these instructions from a Windows Server, use the command prompt. Make sure that your JDK bin folder is already in your PATH environment.
Example: C:\Program Files\Java\jdk1.7.0_02\bin. You can also CD into you JDK bin folder and run the key tool directly from there. If you use this option, after you create your new keystore and CSR files, you need to move them to a more useful location.
Creating a Java Keystore File and CSR
For users who are familiar with using SSL Certificates in a Java environment, the process for creating a keystore and CSR is identical.
-
- To create the keystore and key, run the following command at the command prompt:
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks - Enter the following information, as prompted:
Enter keystore password
Re-enter new password
what is your first and last name?
[Unknown]: First name Last name or Your Company Name
what is the name of your organizational unit?
[Unknown]: Your Department
What is the name of your organization?
[Unknown]: Your Company Name or First name Last name
what is the name of your City or Locality?
[Unknown]: Your City
what is the name of your State or Province?
[Unknown]: YourState or YourProvince
what is the two-letter country code for this unit?
[Unknown]: US
Is CN=Your Company Name or First name Last name, OU=Your Department, O=Your Company Name or First name Last name, L=Your City, ST=Your State, C=US correct?
[No]: yes
Enter key password for
(RETURN if same as keystore password): - This command creates a Java keystore file called keystore.jks.
- To generate the CSR from the keystore, run the following command at the command prompt:
keytool -certreq -alias server -file csr.csr -keystore keystore.jks
Enter keystore password:
- To create the keystore and key, run the following command at the command prompt:
The password is the same password that you used in Step 2.
- This command creates a private key and a CSR and saves them as a .jks file and as a .csr file.
- When you place your code signing certificate order with DigiCert, open the csr.csr file with any text editor. Then, copy and paste its contents into the CSR box in our order form.
Note:
Hold on to the keystore. Do not forget the keystore password. You need this password to install your DigiCert® Code Signing Certificate. You also need the keystore password each time that you use the certificate to sign code.
Installing your DigiCert Code Signing Certificate
Once you have received your signed codes signing certificate file back from DigiCert, you can install it into the keystore that you created when you created the CSR.
- To install the certificate, run the following command at the command prompt:
keytool -import -trustcacerts -alias server -file YourName.p7b -keystore keystore.jks - You should receive a message stating, “Certificate reply was installed in keystore.”
- If asked to trust the certificate, type y or yes.
- Your code signing certificate is installed, and you are ready to sign code.
Signing Java .jar Files with Jarsigner
Once you have correctly installed the Certificate Authority (CA) signed code signing certificate to the keystore that you created, you are ready to start signing code. You can use Jarsigner to sign and to verify the signature on .jar files.
- To sign your file, run the following command at the command prompt:
jarsigner -tsa http://timestamp.digicert.com -keystore
c:\path\to\your\keystore.jks -storepass YourPassword
c:\path\to\your\file.jar YourAlias
In the command above, replace YourPassword with the password used to generate your keystore. Replace YourAlias with the appropriate alias assigned when you generated your CSR.
Note: If you used our Java Keytool CSR Wizard, the alias that was automatically generated for you is server. - This command does not provide any output to indicate that your code was successfully signed.
- To verify that the .jar file was signed successfully, run the jarsigner -verify command from the command prompt:
jarsigner -verify -verbose -certs c:\path\to\your\file.jar - To confirm that your code was successfully signed, you should see an output that includes a line:
s = signature was verified
We hope this guide helped you with this easy process. If you are unable to use these instructions, Acmetek recommends that you contact either the vendor of your software or the hosting organization that supports it.