2 Replies Latest reply: Jun 11, 2014 4:42 PM by rp0428 RSS

    Code Signing Certificate




      Verisign have sent me a Symantec Code Signing Certificate.

      So, now i have the following:

      - Code Signing certificate

      - intermediate CA certificate

      - Certificate in pkcs7 format

      - Private key file in RSA format


      So, how do i take all this information and create a file of type .key so that i can sign my jars.




        • 1. Re: Code Signing Certificate

          I'm not an expert on this, but here are some notes I have from prior work signing jars.  To the experts, feel free to comment on anything you think I got wrong.


          In my experience, you end up either having separate .pvk and .spc files, or a .pfx file.  .pvk stores the private key, while the .spc stores the Software Publisher Certificate (SPC).  An SPC file may be stored with the .cer extension as well.  A .pfx file is a Personal Information Exchange file that contains both the certificate and the keys, and is sometimes referred to as PKCS #12.


          I'm going to assume you have a .pfx file.  If you have separate .pvk and .spc (or .cer) files, they can be combined into a .pfx file.  You also need a Java keystore to work with.


          When I did this, I used the Java Web Services Developer pack, because it came with tools to help (I can't quite recall what I needed from it; maybe the pkcs12import stuff).


          If not there already, install the Primary Root CA into the keystore:

          keytool -import -trustcacerts -alias <rootCAname> -file <whatever>.pem -keystore <keystoreName>


          Now import your .pfx into the keystore:

          pkcs12import.bat -file <whatever>.pfx -keystore <keystoreName> -alias <whateverAlias>


          The first password is asks you for is the password for the .pfx file.  The second is the password for the keystore.  The third you can just leave blank.  If this all completes successfully, the keystore should now be ready to sign jars.


          To sign a jar:

          jarsigner.exe -keystore <keystoreName> <whatever>.jar <whateverAlias>


          If you need to un-sign a jar, you can do so by removing the .SF and .RSA files from the jar's META-INF directory, and removing all the Name: and SHA1-Digest lines from the MANIFEST.MF file.


          I hope this helps.  I know it's a royal pain.  It's complicated, and there are few tutorials that don't just leave you confused.  The people that design this stuff don't ever stop to think maybe they should leave instructions so maybe people can use it properly.

          • 2. Re: Code Signing Certificate

            See the 'Signing JAR Files' trail in The Java Tutorials.


            That tutorial has example code and shows how to sign jar files.