Java Code Signing JKS Method - Certificate Generation and Installation
Feb 21, 2024
Article Purpose: This article provides step-by-step instructions on how to in generate and install a certificate for Java Code Signing. If this is not the solution you are looking for, please search for your solution in the search bar above.
Note: This guide is for reissues of Code Signing orders placed before February 1, 2017. For new or renewal orders placed after February 1, 2017, please view the token-based guide found here.
Instructions
Once you have received the email with the subject "Certificate Download Ready - ORDERID: Code Signing For Sun Java Certificate for Company Name" you will be asked for a Certificate Signing Request (CSR). Using keytool, you will need to generate a new keystore.
- To generate a new keystore use the following command as an example:
keytool -genkey -alias codesigningcert -keyalg RSA -keysize 2048 -keystore globalsign.jks
- You will then be asked for the following details:
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Your Company Name
What is the name of your organizational unit?
[Unknown]: Department
What is the name of your organization?
[Unknown]: Company Name
What is the name of your City or Locality?
[Unknown]: City
What is the name of your State or Province?
[Unknown]: State/County
What is the two-letter country code for this unit?
[Unknown]: Country
Is CN=Your Company Name, OU=Department, O=Company Name, L=City, ST=County, C=Country correct?
[no]: yes
Enter key password for codesigningcert
(RETURN if same as keystore password):
- You have now created the keystore with the relevant key and certificate information you need to create a CSR. This can be done with the following command. Note: Ensure you specify the alias for the key.
keytool -certreq -alias codesigningcert -file codesigningcert.csr -keystore globalsign.jks
Enter keystore password:
- The CSR has now been generated. Open the CSR with Notepad, or any text editing software, and paste it on the pick up page that you received via email.
- On the last page you will be presented with 2 downloads. Click to Download both.
![Step 5.jpg](/download_file/view_inline/1256)
It is recommended to download the GlobalSign Root CA certificate which can be obtained from the Root Certificate Support Article. Please note that the Root certificate required if you have a SHA-256 certificate (Issued 03/31/2014 & After), you will need the Root-R3.crt.
- You will now have three downloaded files. The next step is to import these using keytool. Use the following commands (bold text):
keytool -import -v -trustcacerts -alias root -file Root-R1.crt -keystore globalsign.jks
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias globalsignca
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore
[Storing globalsign.jks]
keytool -import -v -trustcacerts -alias intermediate -file intermediate1.cer -keystore globalsign.jks
Enter keystore password:
Certificate was added to keystore
[Storing globalsign.jks]
It is very important when importing your certificate, that you specify the same alias as the private key, otherwise you will get "Certificate added to keystore" instead of the following:
keytool -import -trustcacerts -alias codesigningcert -file OS2013********.cer -keystore globalsign.jks
Enter keystore password:
Certificate reply was installed in keystore
You have successfully imported the required certificates. You are now ready to start signing your Java applets. There are a few methods of signing, either using the GlobalSign Code Signing Tool or directly with the jarsigner as shown below:
jarsigner -keystore globalsign.jks -tsa http://timestamp.globalsign.com/tsa/r6advanced1 codesigner.jar "codesigningcert"
You will have successfully signed your java application including a timestamp. If you experience issues please run the above command again but include -verbose within the command to see any errors. You can also verify whether you have signed your file using the following command:
jarsigner -verify codesigner.jar
jar verified.
Additional Resources:
Java Development Kit: http://www.oracle.com/technetwork/java/javase/downloads/index.html