DZone
Java Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Java Zone > Signing Java Code With Certum Open Source Certificates

Signing Java Code With Certum Open Source Certificates

Signing your code is probably not as easy as you think. This article shows you what is actually takes to sign your open source binaries.

Matthew Casperson user avatar by
Matthew Casperson
·
Jul. 28, 16 · Java Zone · Tutorial
Like (6)
Save
Tweet
7.23K Views

Join the DZone community and get the full member experience.

Join For Free

Recent versions of Java have tightened the security around code that is run from the web, which is good news for end users, but a pain for developers. These new requirements forced users of a new web start Java project that I have worked on to manually add exceptions for the location of the JAR files being downloaded. This sounds like a simple thing to do, but turned out to be quite cumbersome, so I decided to get a real certificate.

Certum offers reasonably priced certificates for those working on open source projects. This is a great service for those who can’t justify hundreds of dollars a year on a certificate for code that they give away, and I bought one of these certificates for my own project.

Given that the process of obtaining a certificate and actually signing your code with is surprisingly hard to work out, so I thought I would document it here.

Generate a Keystore

The process starts with a keystore that you generate locally.

keytool –keystore clientkeystore –genkey –alias client
Enter keystore password:  javacaps
What is your first and last name?
[Unknown]:  development.sun.com
What is the name of your organizational unit?
[Unknown]:  Development
What is the name of your organization?
[Unknown]:  Sun
What is the name of your City or Locality?
[Unknown]:  Monrovia
What is the name of your State or Province?
[Unknown]:  California
What is the two-letter country code for this unit?
[Unknown]:  US
Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California,
C=US> correct?
[no]:  yes

Enter key password for <client>
(RETURN if same as keystore password):

Export a CRT file

You'll need to provide this CSR file to Certum when you buy their certificate.

keytool –keystore clientkeystore –certreq –alias client –keyalg rsa
–file client.csr

Buy a Certificate

Buy the open source certificate from Certum, and then upload the CSR file when prompted by their online process.

At this point you’ll need to email some proof of identity to Certum, like your passport and utility bills. Once your identity has been verified, Certum will get back to you with a download link to your certificate.

Import CA Certificates

Now go to https://www.certum.eu/certum/cert,expertise_root_certificates.xml and download the following PEM files:

  • Certum Certification Authority
  • Certum Trusted Network Certification Authority
  • Public Key of Certum Level III CA
  • Public Key of Certum Code Signing CA SHA2

Don’t ask my why these particular PEM files are the ones you need, but after much Googling and trial and error, this combination worked for me.

Import these PEM files into your keystore. I’ve shown the command to import one PEM file below, so you’ll need to run this 4 times replacing the file CA.pem with each of the PEM files you downloaded. You’ll also need to give each import a unique alias (I used certum1 - certum4).

keytool -import -keystore clientkeystore -file CA.pem -alias certum1

Import Your CER File

Once all 4 PEM files are imported, you can then import the CER file provided by Certum.

keytool -import -keystore clientkeystore -file mycertificate.cer -alias server

Sign Your Code

At this point you have a keystore that you can use to sign your JAR files with.

jarsigner -keystore clientkeystore -storepass ${PASSWORD} -keypass ${PASSWORD} myapp.jar server
Open source Java (programming language)

Published at DZone with permission of Matthew Casperson, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Creating Event-Based Architecture on Top of Existing API Ecosystem
  • What Is HttpSession in Servlets?
  • Adaptive Change Management: A DevOps Approach to Change Management
  • How to Utilize Python Machine Learning Models

Comments

Java Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo