Using a PKCS12 key to for signing JAR files

Posted by Dan on Feb 27, 2008 @ 2:18 PM

We recently bought a Self-Signing Cert from Comodo through Tucow's Authors site. Through Tucows I was able to get a 3 year cert for $195—which is cheaper than a 1 year cert from either Thawte or Verisign.

I was expecting them to send me a cert via e-mail, but instead they install the certificate into the browser in which you purchased the certificate. From this point on Comodo doesn't offer any instructions on how to use the cert, so I had to do some research.

First, I'd recommend buying your cert using Firefox. If the cert gets installed into Internet Explorer, you need to jump through a bunch of hoops to generate the p12 file from the pvk format. Once you have your cert stored as a PKCS12 file, the steps for signing your Java Applet are pretty straightforward.

The instructions below show you how to sign an applet provided your personal cert has installed into Firefox. If you already have your p12 file, the you can skip to step 11(the directions use the filename of self-sign.p12 for the exported key.)

  1. Open Firefox v2.x
  2. Go to Tools > Options...
  3. Click on the Advanced button
  4. Go to the Encryption tab
  5. Click on the View Certificates button
  6. On the Your Certificates tab you should see your personal cert
  7. Click your personal cert
  8. Click the Backup button
  9. Save the file to your desktop as: self-sign.p12 (the p12 extension will be added for you automatically)
  10. Enter a password for the certificate when prompted by Firefox (you'll need this value later)
  11. Now that the cert has been exported, we need to get the "alias" so we know what to use when signing the applet.
  12. From a command prompt run:
    keytool -list -storetype pkcs12 -keystore /path/to/your/self-sign.p12

    (The keytool is a command line tool located in your JDK's /bin folder.)
  13. Enter the password you assigned in step 10

  14. You should now see some output that looks like:

    Keystore type: PKCS12
    Keystore provider: SunJSSE

    Your keystore contains 1 entry

    [Alias], Jan 1, 2008, keyEntry,
    Certificate fingerprint (MD5): hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh

    The [Alias] is a string that might be look like a UUID (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx) or it could just be string of various text. The alias will be the part of the text up to the first comma before the date.

  15. To sign a jar, we use:
    jarsigner -storetype pkcs12 -keystore /path/to/your/self-sign.p12 yourJar.jar [Alias]

    Or if you prefer Ant, you can use something like:
    <target name="signjar" depends="jar">
      <input
        message="Please enter keystore password:"
        addproperty="keypass" />
      <signjar jar="${lib}/yourJar.jar" storetype="pkcs12"
        keystore="/path/to/your/self-sign.p12" alias="[Alias]"
        storepass="${keypass}"/>
    </target>

I highly recommend creating an Ant build.xml script for compiling and signing your JAR. The biggest benefit is once you get it set up, there's nothing manual you need to do.

Categories: Java

9 Comments

Comments for this entry have been disabled.