Java/Code Signing
Create Code Signing Certificate
Thawte Code Signing Certificates
Type of certificate:
JavaSoft Developer Certificate These certificates can beused with JavaSoft's JDK 1.3 and later to sign applets.
Generating the CSR for the Javasoft Code Signing Certificate (vs30621)
1. Generate Keystore and KeyEntry (Private Key):
keytool -genkey -keyalg RSA -alias [keyEntry_friendly_name] -keystore [keystore_friendly_name] keytool -genkey -keyalg RSA -alias oeeyapplet -keystore oeeypalapplet.key
Choose a password for the Keystore and enter it when prompted to do so. Enter Keystore password: password What is your first and last name? [Unknown]: www.yourdomainnamehere.com What is the name of your organizational unit? [Unknown]: Your Organizational Unit Here What is the name of your organization? [Unknown]: Your Organization Name Here What is the name of your City or Locality? [Unknown]: Your City or Locality Here What is the name of your State or Province? [Unknown]: Your State or Province Here What is the two-letter country code for this unit? [Unknown]: US Is CN=www.yourdomainnamehere.com, OU=Your Organizational Unit Here, O=Your Organization Name Here, L=Your City or Locality Here, ST=Your State or Province Here, C=US correct? [no]: yes Enter key password for <Keyentry_name_here> (RETURN if same as Keystore password):
The one difference I did was instead of putting our domain name for "first and last name" I used "Oeey" for all 3 (name, organization unit, and organization name), which was how the old cert was generated. Thawte did not accept this so I regenerated using a domain name instead.
2. Please run the following command to make sure that you can read the file and view the Keyentry:
keytool -list -Keystore [Keystore-friendly_name] keytool -list -Keystore oeeyapplet.key
3. Generate a CSR off the Keyentry:
keytool -certreq -Keystore [Keystore_friendly_name] -alias [KeyEntry_friendly_name] -file [csr_name_here] keytool -certreq -keystore oeeyapplet.key -alias oeeyapplet-file oeeyapplet.csr
Import Signed Certificate
1. Import certificate into keystore:
keytool -import -trustcacerts -file [xxx.crt] -alias [keyentry_friendly_name] -keystore [keystore name] keytool -import -trustcacerts -file oeeyapplet.crt -alias oeeyapplet-keystore oeeyapplet.jks
Sign Code
Sign Code with JavaSoft Certificate:
1. Sign code:
jarsigner -keystore [keystore name] xxx.jar [keyEntry_friendly_name] jarsigner -keystore oeeyapplet.jks myjar.jar oeeyapplet
2. Verify:
jarsigner -verify -certs [xxx.jar] jarsigner -verify -certs -verbose [xxx.jar] jarsigner -verify -certs myjar.jar jarsigner -verify -certs -verbose myjar.jar | more
jarsigner - JAR Signing and Verification Tool
Troubleshooting
Using a SSL certificate to sign code
Error:
Failed to validate certificate. The application will not be executed.
Details:
General Exception details: sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing at sun.security.validator.EndEntityChecker.checkCodeSigning(Unknown Source) at sun.security.validator.EndEntityChecker.check(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source) at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source) at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source) at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source) at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source) at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source) at com.sun.javaws.Launcher.launch(Unknown Source) at com.sun.javaws.Main.launchApp(Unknown Source) at com.sun.javaws.Main.continueInSecureThread(Unknown Source) at com.sun.javaws.Main$1.run(Unknown Source) at java.lang.Thread.run(Unknown Source)