Java Code Signing JKS Method - Certificate Generation and Installation

Article Purpose: This article provides step-by-step instructions on how to in generate and install a certificate for Java Code Signing. If this is not the solution you are looking for, please search for your solution in the search bar above. 
Note: This guide is for reissues of Code Signing orders placed before February 1, 2017. For new or renewal orders placed after February 1, 2017, please view the token-based guide found here
 

Instructions


Once you have received the email with the subject "Certificate Download Ready - ORDERID: Code Signing For Sun Java Certificate for Company Name" you will be asked for a Certificate Signing Request (CSR). Using keytool, you will need to generate a new keystore. 
 

  1. To generate a new keystore use the following command as an example:

    keytool -genkey -alias codesigningcert -keyalg RSA -keysize 2048 -keystore globalsign.jks
     
  2. You will then be asked for the following details:

    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
    [Unknown]: Your Company Name
    What is the name of your organizational unit?
    [Unknown]: Department
    What is the name of your organization?
    [Unknown]: Company Name
    What is the name of your City or Locality?
    [Unknown]: City
    What is the name of your State or Province?
    [Unknown]: State/County
    What is the two-letter country code for this unit?
    [Unknown]: Country
    Is CN=Your Company Name, OU=Department, O=Company Name, L=City, ST=County, C=Country correct?
    [no]: yes

    Enter key password for codesigningcert
    (RETURN if same as keystore password):
     
  3. You have now created the keystore with the relevant key and certificate information you need to create a CSR. This can be done with the following command. Note: Ensure you specify the alias for the key.

    keytool -certreq -alias codesigningcert -file codesigningcert.csr -keystore globalsign.jks
    Enter keystore password:
     
  4. The CSR has now been generated. Open the CSR with Notepad, or any text editing software, and paste it on the pick up page that you received via email.
  5. On the last page you will be presented with 2 downloads. Click to Download both.Step 5.jpg
    It is recommended to download the GlobalSign Root CA certificate which can be obtained from the Root Certificate Support Article. Please note that the Root certificate required will vary depending on the hashing algorithm of your certificate, if you have a SHA-1 certificate you will need the Root-R1.crt If you have a SHA-256 certificate (Issued 03/31/2014 & After) you will need the Root-R3.crt.

  6. You will now have three downloaded files. The next step is to import these using keytool. Use the following commands (bold text):

    keytool -import -v -trustcacerts -alias root -file Root-R1.crt -keystore globalsign.jks​
    Enter keystore password:
    Certificate already exists in system-wide CA keystore under alias globalsignca
    Do you still want to add it to your own keystore? [no]: yes
    Certificate was added to keystore
    [Storing globalsign.jks]

    keytool -import -v -trustcacerts -alias intermediate -file intermediate1.cer -keystore globalsign.jks
    Enter keystore password:
    Certificate was added to keystore
    [Storing globalsign.jks]

    It is very important when importing your certificate, that you specify the same alias as the private key, otherwise you will get "Certificate added to keystore" instead of the following:

    keytool -import -trustcacerts -alias codesigningcert -file OS2013********.cer -keystore globalsign.jks
    Enter keystore password:
    Certificate reply was installed in keystore​

​You have successfully imported the required certificates. Y​ou are now ready to ​start signing your Java applets. There are a few methods of signing, either using the GlobalSign Code Signing Tool​ or directly with the jarsigner as shown below:

jarsigner -keystore globalsign.jks -tsa http://timestamp.globalsign.com/scripts/timestamp.dll codesigner.jar "codesigningcert"

You will have successfully signed your java application including a timestamp. If you experience issues please run the above command again but include -verbose within the command to see any errors. You can also verify whether you have signed your file using the following command:

jarsigner -verify codesigner.jar
jar verified.

Additional Resources:
Java Development Kit: http://www.oracle.com/technetwork/java/javase/downloads/index.html 

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.