Begin by creating a user on the system who is going to be responsible for the signing process. I would recommend setting up a dummy user for each client/company you are working for so that each one can have their own keystore and always use the same password...
bash $ adduser fred bash $ su fred fred@brezhnev $ cd ... fred@brezhnev $ /usr/local/java/bin/keytool -genkey -keyalg RSA -alias fred
Note, the keyalg option is important. If you forget this bit the Verisign site will return a message which said 'errors.100' - at this stage of the keygen process you must specify the RSA key algorithm.
Anyway, You will then be asked a heap of questions as follows:
Enter keystore password: mooface What is your first and last name? [Unknown]: Christopher Lacy-Hulbert What is the name of your organizational unit? [Unknown]: Technical Department What is the name of your organization? [Unknown]: Company name Ltd What is the name of your City or Locality? [Unknown]: London What is the name of your State or Province? [Unknown]: London What is the two-letter country code for this unit? [Unknown]: GB Is CN=Christopher Lacy-Hulbert, OU=Technical Department, O=Company name Ltd, L=London, ST=London, C=GB correct? [no]: yes Enter key password for (RETURN if same as keystore password): mooface fred@brezhnev $ fred@brezhnev $
So that has just generated a key pair. The public key is stored in an X.509v1 self signed certificare which is stored as a single element certificate chain. The certificate chain and the private key are stored in a new keystore for the user (in this case fred).
Generate Certificate Request
Now the second stage is to generate the certificate request. This is just a bundle of text which is sent to the CA. They will then authenticate you and they will send back a certificate which they have signed which authenticates your public key. This certificate is then finally imported using keytool's -import utility, but that's not till later. So first let's cenerate the Certificate Signing Request (csr). First we call keytool and pass the certreq option with the correct alias (which if you followed the suggestions earlier in this tutorial will be the username pertaining to your company or client). The -file options tells keytool where to put the certificate request data. You can make this file name up - call it bertie.txt if you want. It doesn't really matter. If you don't specify a file, then data will just be echoed back to your screen.
fred@brezhnev $ /usr/local/java/bin/keytool -certreq -alias fred -file cert_req.csr Enter keystore password: ********
So now the job is actually done - using the ls command, we can see the new file (cert_req.csr) sitting there:
fred@brezhnev $ ls -al total 24 drwx--x--x 2 fred users 4096 Jun 25 13:40 . drwxr-xr-x 13 root root 4096 Jun 25 13:23 .. -rwx------ 1 fred users 1531 Jun 25 13:29 .bashrc -rw-r--r-- 1 fred users 1317 Jun 25 13:31 .keystore -rw-r--r-- 1 fred users 3394 Jun 25 13:23 .screenrc -rw-r--r-- 1 fred users 970 Jun 25 13:40 cert_req.csr
And if you peek inside it you can see the certificate request data:
fred@brezhnev $ cat cert_req.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICjjCCAkwCAQAwgYgxCzAJBgNVBAYTAnVrMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxv bmTHISISNOTFORREALMMQ29uTHISISNOTFORREALawYDVQQLExRUZWNobmljYWwgRGVwYXJ0bWVu dDEhMB8GA1dEAxMYQ2hyaXN0b3BoZXIgTGFjeS1IdWxiZXJ0MIIBuDCCASwGByqGSM44BAEwggEf AoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs 14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E208UTHISISNOTFORREAL 9nXzrith1yrv8iIDGZfRSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtc NrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+sxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotU fI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7P SSoDgYUAAoGBAOTHISISNOTFORREALKzYJ/GWjUDDkdnoVyr1TMoHlYpdVy8d4obbwTtkOLuQcFZ kkwdMceQm+K/HqGdKTJHvItHvpTRh0JJUjRju9XUTexIAm94do2bF1RbQW13kAuK59i6vOxhsoB5 Tarn2yRaz7nypePABA4AnBDzdmx2UW1goAAwCwYHKoZIzjgEAwUAAy8AMCwCFBLr6EKrTCMmrMXD 3txxTgr0jcBOAhRWl5bVZEgjHU+hN+/IihLElIG1wA== -----END NEW CERTIFICATE REQUEST-----
All you have to do now is visit the verisign site (http://www.verisign.com/products/signing/index.html) and submit the block of text in your certificate request, along with your credit card details. Verisign will then attempt to verify that you are who you say you are (ie that you are a trusted body) and in return they will send you a signed certificate.
I'll come back in a few days and write more about the importing process for applet signing certificates.