|
In order to request and manage certificates in Java, we will use the Java keytool. This is a key and management utility supplied with the JDK.
The Java KeyTool is a command line utility with various options.
The first option required is the -genkey option.
This will add the private key to an existing keystore; or, if the keystore specified does not exist, will create a new one.
To create a new keystore, you use the following command (without any line break) at the command prompt:
| keytool -genkey -alias codesigncert -keypass (yourkeypassword) -keyalg RSA -keysize 1024 -dname "CN=nameyouwantyourclientstosee,O=companyname,C=US,E=youremailaddress" -keystore codesignstore -storepass (yourstorepassword) |
Note: When you run this command, it produces no output:
This command will create a keystore named "codesignstore".
The alias is the unique identifier of this entry. Whilst the key will include the following information: CN= should be the name you want your customers/clients to see when they open your application O= your company name C= your two digit country code E= your email address
Note: It may be a good idea to note the keystore and key passwords. These will be required later during the installation procedure.
Certificate Signing Request (CSR) Generation
The next step is to generate a Certificate Signing Request (CSR). To do so, use the following command:
keytool -certreq -v -alias codesigncert -file codesigncsr.pem -keystore codesignstore
Certification request stored in file
Submit this to your CA |
You will now find a file called codesigncsr.pem in the your working directory. It will look something like this:
more codesigncsr.pem
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBpjCCAQ8CAQAwZjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZE
VbkHuzEnAnymz+402R2lR/mJjSCo1m+Wv3s5JvGZ9d2EfGC9ZpDG3tZGxqWomhAOBwyVBgcCmFOj
hv6rgrRO0NrO5KOyqJQBAHKHlj7M9hYD6Nml4M0wXqg43+9jR2NnTNLdMzsCAwEAAaAAMA0GCSqG
ZW52ZXIxDDAKBgNVBAoTA0JFQTEMMAoGA1UECxMDRFJPMCcwFQYDVQQDEw5qc3ZlZGUuYmVhLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3hwTyXG2gWGUTMKMTeIkUgYzPJJwboJQdEIc
-----END NEW CERTIFICATE REQUEST----- |
This file is what you submit in the GlobalSign ObjectSign Java certificate request application for signing.
After verification, GlobalSign will send you an email with your certificate included as an attachment (eg. cert123.pem). You can rename this file to something more obvious like: javacodesigncert.pem
Opening this in a text editor will display something like:
-----BEGIN CERTIFICATE-----
MIIDJjCCAtCgAwIBAgIQVd1yrfv2854JsDjU08ZA+DANBgkqhkiG9w0BAQUFADCB
qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu
LmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExU
RC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25s
eS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDUwMzA1MDAwMDAwWhcNMDUw
-----END CERTIFICATE-----
You can also see the file contents using KeyTool with the following command:
keytool -printcert -v -file javacodesigncert.pem
Owner: CN=nameyouwantyourclientstosee,O=companyname,C=US,E=youremailaddress
Issuer: CN=Cybertrust SureObject CA, O=GlobalSign Inc
Serial number: 10000000001045678a99d
Valid from: Mon Sep 05 14:54:01 CEST 2005 until: Tue Sep 05 14:54:01 CEST 2006
Certificate fingerprints:
MD5: B4:56:2C:D7:56:54:6B:9C:EB:50:92:5E:4D:C5:9B:7D
SHA1: E3:30:3A:15:01:23:CB:69:85:E8:52:DE:AB:DE:11:E2:3E:97:C9:09 |
Certificate Installation Procedure
We are now ready to build the keystore: You will need the following two Cybertrust CA certificates in order to have your certificate trusted and able to sign:
The first step is to import the GTE CyberTrust Global Root and the Cybertrust SureObject CA just mentioned, using the following two commands (your browser may rename these files, you can manually change them back to ct_root.cer and sureobject.cer or change their names in the commands below):
keytool -import -v -trustcacerts -alias cybertrustroot -file ct_root.cer -keystore codesignstore
Certificate was added to keystore
[Saving codesignstore]
keytool -import -v -trustcacerts -alias sureobject -file sureobject.cer -keystore codesignstore
Certificate was added to keystore
[Saving codesignstore] |
These messages indicate that the certificates were imported successfully.
Remember to give each certificate a unique alias.
Next, verify the contents of the keystore again:
keytool -list -v -keystore codesignstore
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: servercert
Creation date: Sep 4, 2005
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=nameyouwantyourclientstosee,O=companyname,C=US,E=youremailaddress
Issuer: CN=nameyouwantyourclientstosee,O=companyname,C=US,E=youremailaddress
Serial number: 422956c3
Valid from: Sun Sep 04 19:35:47 MST 2005 until: Sat Oct 01 20:35:47 MDT 2005
Certificate fingerprints:
MD5: D2:55:CA:24:11:1A:C1:22:F5:3E:66:53:78:96:CF:35
SHA1: 65:3F:73:37:A5:25:A0:24:F4:65:CA:0F:E8:A5:0B:CB:B6:2F:F0:29
Alias name: sureobject
Creation date: Sep 4, 2005
Entry type: trustedCertEntry
Owner: CN=Cybertrust SureObject CA, O=GlobalSign Inc
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GT E Corporation, C=US
Serial number: 40003ca
Valid from: Wed Feb 16 20:13:00 CET 2005 until: Fri Feb 17 00:59:00 CET 2012
Certificate fingerprints:
MD5: 52:71:93:AB:96:7B:2E:12:21:D3:79:15:93:95:15:29
SHA1: D4:1B:41:8D:7C:AA:41:9A:30:20:97:F3:1C:D5:27:2D:47:63:AE:CE
Alias name: cybertrustroot
Creation date: Sep 4, 2005
Entry type: trustedCertEntry
Owner: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GT E Corporation, C=US
Serial number: 1a5 Valid from: Thu Aug 13 02:29:00 CEST 1998 until: Tue Aug 14 01:59:00 CEST 2018
Certificate fingerprints:
MD5: CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
SHA1: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 |
The keystore now has the private key and the root certificates. We can now import the code signing certificate.
To do this, we use the import command again, but drop the –trustcacerts and –noprompt, and specify that the alias is the same as the private key alias.
Run this command only after you have imported the root certificate and any intermediate certificates.
Having these files available allows the keytool to properly chain your signed certificate to the proper root certificates.
keytool -import -v -alias codesigncert -file javacodesigncert.pem -keystore codesignstore
Certificate reply was installed in keystore
[Saving codesignstore] |
Finally, running another listing of the keystore, the output should look like this:
keytool -list -v -keystore codesignstore
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: servercert
Creation date: Sep 5, 2005
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=nameyouwantyourclientstosee,O=companyname,C=US,E=youremailaddress
Issuer: CN=Cybertrust SureObject CA, O=GlobalSign Inc
Serial number: 10000000001045678a99d
Valid from: Mon Sep 05 14:54:01 CEST 2005 until: Tue Sep 05 14:54:01 CEST 2006
Certificate fingerprints:
MD5: B4:56:2C:D7:56:54:6B:9C:EB:50:92:5E:4D:C5:9B:7D
SHA1: E3:30:3A:15:01:23:CB:69:85:E8:52:DE:AB:DE:11:E2:3E:97:C9:09
Certificate[2]:
Owner: CN=Cybertrust SureObject CA, O=GlobalSign Inc
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GT E Corporation, C=US
Serial number: 40003ca
Valid from: Wed Feb 16 20:13:00 CET 2005 until: Fri Feb 17 00:59:00 CET 2012
Certificate fingerprints:
MD5: 52:71:93:AB:96:7B:2E:12:21:D3:79:15:93:95:15:29
SHA1: D4:1B:41:8D:7C:AA:41:9A:30:20:97:F3:1C:D5:27:2D:47:63:AE:CE
Certificate[3]:
Owner: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GT E Corporation, C=US
Serial number: 1a5 Valid from: Thu Aug 13 02:29:00 CEST 1998 until: Tue Aug 14 01:59:00 CEST 2018
Certificate fingerprints:
MD5: CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
SHA1: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 |
Here, the most important thing you want to see is under the private key alias. You should find:
Certificate chain length: 3
This tells you that keystore able to establish the certificate chain, and your keystore is ready for use.
Signing your Java Code
Now you will be able to sign your java code using the jarsigner utility. A typical commmand for this, using the above example, looks something like:
| jarsigner -keystore codesignstore c:\FileUploadApplet.jar codesigncert |
Further information on Java KeyTool and Certificate generation can be found on the Sun website.
|
