Java/Code Signing

From Omnia
Jump to navigation Jump to search

Create Code Signing Certificate

Thawte

Thawte Code Sign Status

Thawte Code Signing Certificates

Type of certificate:

JavaSoft Developer Certificate
These certificates can beused with JavaSoft's JDK 1.3 and later to sign applets.

Generating the CSR for the Javasoft Code Signing Certificate (vs30621)

1. Generate Keystore and KeyEntry (Private Key):

keytool -genkey -keyalg RSA -alias [keyEntry_friendly_name] -keystore [keystore_friendly_name]
keytool -genkey -keyalg RSA -alias oeeyapplet -keystore oeeypalapplet.key
Choose a password for the Keystore and enter it when prompted to do so.
Enter Keystore password:  password

What is your first and last name?
  [Unknown]:  www.yourdomainnamehere.com
What is the name of your organizational unit?
  [Unknown]:  Your Organizational Unit Here
What is the name of your organization?
  [Unknown]:  Your Organization Name Here
What is the name of your City or Locality?
  [Unknown]:  Your City or Locality Here
What is the name of your State or Province?
  [Unknown]:  Your State or Province Here
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=www.yourdomainnamehere.com, OU=Your Organizational Unit Here, O=Your Organization Name Here, L=Your City or Locality Here, ST=Your State or Province Here, C=US correct?
 [no]:  yes

Enter key password for <Keyentry_name_here>
        (RETURN if same as Keystore password):

The one difference I did was instead of putting our domain name for "first and last name" I used "Oeey" for all 3 (name, organization unit, and organization name), which was how the old cert was generated. Thawte did not accept this so I regenerated using a domain name instead.

2. Please run the following command to make sure that you can read the file and view the Keyentry:

keytool -list -Keystore [Keystore-friendly_name]
keytool -list -Keystore oeeyapplet.key

3. Generate a CSR off the Keyentry:

keytool -certreq -Keystore [Keystore_friendly_name] -alias [KeyEntry_friendly_name] -file [csr_name_here]
keytool -certreq -keystore oeeyapplet.key -alias oeeyapplet-file oeeyapplet.csr

Import Signed Certificate

To Install the Certificate:

1. Import certificate into keystore:

keytool -import -trustcacerts -file [xxx.crt] -alias [keyentry_friendly_name] -keystore [keystore name]
keytool -import -trustcacerts -file oeeyapplet.crt -alias oeeyapplet-keystore oeeyapplet.jks

Sign Code

Sign Code with JavaSoft Certificate:

1. Sign code:

jarsigner -keystore [keystore name]  xxx.jar [keyEntry_friendly_name]
jarsigner -keystore oeeyapplet.jks  myjar.jar oeeyapplet

2. Verify:

jarsigner -verify -certs [xxx.jar]
jarsigner -verify -certs -verbose [xxx.jar]
jarsigner -verify -certs myjar.jar
jarsigner -verify -certs -verbose myjar.jar | more

jarsigner - JAR Signing and Verification Tool

Troubleshooting

Using a SSL certificate to sign code

Error:

Failed to validate certificate.  The application will not be executed.

Details:

General Exception details:
sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing
	at sun.security.validator.EndEntityChecker.checkCodeSigning(Unknown Source)
	at sun.security.validator.EndEntityChecker.check(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

keywords