Forum Stats

  • 3,769,955 Users
  • 2,253,036 Discussions
  • 7,875,251 Comments

Discussions

How to use a Ca signed certificate for code signing in eclipse

3345501
3345501 Member Posts: 12
edited Nov 22, 2016 12:07PM in Java ME Embedded

eclipse neon sp1

Java 8 / javaMe 8

The Keystore contains 3 certificate entries: The certificate of the issuer ca, the codesigner certificate generated with openssl signed by issuer ca and a self signed certificate generated with the create new key pair button labeled: "me signer".

The keystore is referenced from eclipse and on the page Java ME/signing all certificates hold by the store are visible.

simple test:

IMletDemo, application descriptor, security tab, "sign generated packages" is checked. For Sign Properties:key alias to use, only the self signed certificate can be selected. The others are not visible.

Questions:

why? comparing the selfsigned cerificate and the openssl generated, w.r.t extensions and purpose both are identical! Of course the keys and hash are different, but this is normal I think.

doing a "keytool -list", the selfsigned certificate is labeled privateKeyEntry, while the other has the attribute trustedCertEntry. I hope this difference is not the cause and is due to the fact that one is selfsigned and the others have a correct certification chain. If this is not the case, please explain why!

Of course this is only half the way. More important would be to now, what kind of required permissions with what of value must be added to get the program working. Where can this information be found? Preferably with explications, to know what ist required and why it must be added. Background knowledge!

nel23FX

Answers

  • 3345501
    3345501 Member Posts: 12
    edited Nov 22, 2016 12:07PM

    The problem is, it doesn't work, if key and certificate are generated by openssl! The keypair must be generated using the keytool! Use:

    keytool -genkeypair -keyalg rsa -keysize 2048 -alias nameofchoice -keystore ifNotwithinSameDirectory -keypass yourchoice

    More parameters can be given. what is missing is requested interactively.

    Then a certification request can be generated:

    keytool -certreq -alias sameAsAbove -keypass same -file yourchoice.csr

    The generated file can be signed by the CA getting a file yourchoice.crt which then can be reimported into the keystore with:

    keytool -importcert -alias alwaysTheSame -file yourchoice.crt

    Now the certificate can be used to sign code. It works, however doing so the programm execution fails.

    Unsigned it works, signed it fails. But this is the next issue!

    nel23FX
This discussion has been closed.