Signing Java Code With Certum Open Source Certificates

Recent versions of Java have tightened the security around code that is run from the web, which is good news for end users, but a pain for developers. These new requirements forced users of a new web start Java project that I have worked on to manually add exceptions for the location of the JAR files being downloaded. This sounds like a simple thing to do, but turned out to be quite cumbersome, so I decided to get a real certificate.

Certum offers reasonably priced certificates for those working on open source projects. This is a great service for those who can’t justify hundreds of dollars a year on a certificate for code that they give away, and I bought one of these certificates for my own project.

Given that the process of obtaining a certificate and actually signing your code with is surprisingly hard to work out, so I thought I would document it here.

Generate a Keystore

The process starts with a keystore that you generate locally.

keytool –keystore clientkeystore –genkey –alias client
Enter keystore password:  javacaps
What is your first and last name?
[Unknown]:  development.sun.com
What is the name of your organizational unit?
[Unknown]:  Development
What is the name of your organization?
[Unknown]:  Sun
What is the name of your City or Locality?
[Unknown]:  Monrovia
What is the name of your State or Province?
[Unknown]:  California
What is the two-letter country code for this unit?
[Unknown]:  US
Is <CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California,
C=US> correct?
[no]:  yes

Enter key password for <client>
(RETURN if same as keystore password):

Export a CRT file

You'll need to provide this CSR file to Certum when you buy their certificate.

keytool –keystore clientkeystore –certreq –alias client –keyalg rsa
–file client.csr

Buy a Certificate

Buy the open source certificate from Certum, and then upload the CSR file when prompted by their online process.

At this point you’ll need to email some proof of identity to Certum, like your passport and utility bills. Once your identity has been verified, Certum will get back to you with a download link to your certificate.

Import CA Certificates

Now go to https://www.certum.eu/certum/cert,expertise_root_certificates.xml and download the following PEM files:

• Certum Certification Authority
• Certum Trusted Network Certification Authority
• Public Key of Certum Level III CA
• Public Key of Certum Code Signing CA SHA2

Don’t ask my why these particular PEM files are the ones you need, but after much Googling and trial and error, this combination worked for me.

Import these PEM files into your keystore. I’ve shown the command to import one PEM file below, so you’ll need to run this 4 times replacing the file CA.pem with each of the PEM files you downloaded. You’ll also need to give each import a unique alias (I used certum1 - certum4).

keytool -import -keystore clientkeystore -file CA.pem -alias certum1

Import Your CER File

Once all 4 PEM files are imported, you can then import the CER file provided by Certum.

keytool -import -keystore clientkeystore -file mycertificate.cer -alias server

Sign Your Code

At this point you have a keystore that you can use to sign your JAR files with.

jarsigner -keystore clientkeystore -storepass ${PASSWORD} -keypass ${PASSWORD} myapp.jar server