Setting Up and Using Your Oracle Java Code Signing Certificate
In Java, the process for setting up your COMODO Code Signing Certificate consists of creating a Java keystore and a Certificate Signing Request (CSR) and then, installing your COMODO generated code signing certificate file to the Keystore file from where the CSR was generated.
If you have already set up your code signing certificate and are ready to sign your Java .jar files, see the Signing Java .jar Files with Jarsigner instructions on this page.
Java CSR Creation and Codes Signing Certificate Installation
Before using these instructions, make sure that the Java Development Kit (JDK) is installed on your server or local computer. You can run the commands in this instruction wherever you have the keytool command available. After creating your CSR, make sure that you keep track of your keystore file because it contains your private key. In addition, you need the keystore file to install your COMODO Code Signing Certificate.
If you plan to run the commands in these instructions from a Windows Server, use the command prompt. Make sure that your JDK bin folder is already in your PATH environment, for example: C:\Program Files\Java\jdk1.7.0_02\bin. You can also CD into you JDK bin folder and run the keytool directly from there. If you use this option, after you create your new keystore and CSR files, you need to move them to a more useful location.
Creating a Java Keystore File and CSR
For users who are familiar with using SSL Certificates in a Java environment, the process for creating a keystore and CSR is identical.
To create the keystore and key, run the following command at the command prompt:
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks
Enter the following information, as prompted:
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Firstname Lastname or YourCompanyName
What is the name of your organizational unit?
What is the name of your organization?
[Unknown]: YourCompanyName or Firstname Lastname
What is the name of your City or Locality?
What is the name of your State or Province?
[Unknown]: YourState or YourProvince
What is the two-letter country code for this unit?
Is CN=YourCompanyName or Firstname Lastname, OU=YourDepartment, O=YourCompanyName or Firstname Lastname, L=YourCity, ST=YourState, C=US correct?
Enter key password for <server>
(RETURN if same as keystore password):
This command creates a Java keystore file called keystore.jks.
To generate the CSR from the keystore, run the following command at the command prompt:
keytool -certreq -alias server -file csr.csr -keystore keystore.jks
Enter keystore password:
The password is the same password that you used in Step 2.
This command creates a private key and a CSR and saves them as a .jks file. and as a .csr file.
When you place your code signing certificate order with COMODO, open the csr.csr file with any text editor. Then, copy and paste its contents into the CSR box in our order form.
Hold on to the keystore. Do not forget the keystore password. You need this password to install your COMODO Code Signing Certificate. You also need the keystore password each time that you use the certificate to sign code.
Installing your COMODO Code Signing Certificate
Once you have received your signed codes signing certificate file back from COMODO, you can install it into the keystore that you created when you created the CSR.
To install the certificate, run the following command at the command prompt:
keytool -import -trustcacerts -alias server -file YourName.p7b -keystore keystore.jks
You should receive a message stating, “Certificate reply was installed in keystore.”
If asked to trust the certificate, type y or yes.
Your code signing certificate is installed, and you are ready to sign code.
Signing Java .jar Files with Jarsigner
Once you have correctly installed the Certificate Authority (CA) signed code signing certificate to the keystore that you created, you are ready to start signing code. You can use Jarsigner to sign and to verify the signature on .jar files.
To sign your file, run the following command at the command prompt:
jarsigner -tsa http://timestamp.comodoca.com -keystore c:\path\to\your\keystore.jks -storepass YourPassword c:\path\to\your\file.jar YourAlias
In the command above, replace YourPassword with the password used to generate your keystore. Replace YourAlias with the appropriate alias assigned when you generated your CSR.
Note: If you used our Java Keytool CSR Wizard, the alias that was automatically generated for you is server.
This command does not provide any output to indicate that your code was successfully signed.
To verify that the .jar file was signed successfully, run the jarsigner -verify command from the command prompt:
jarsigner -verify -verbose -certs c:\path\to\your\file.jar
To confirm that your code was successfully signed, you should see an output that includes a line:
s = signature was verified