Applet code signing tutorial

chris (2004-06-25 15:05:29)
0 replies
This short, consise article will help to illustrates the simple steps required to generate a code-siging certificate request which is then submitted to a Certificate Authority (CA). Currently it seems that Verisign are the only company who can actually provide code/object signing certificates. Apparently this is due to a 'minor mistake' by Microsoft some years ago - at least that's what the dude at Geotrust told me. Equifax (a CA in the uk) echoed the claims. Anyway, I'm assuming that the user is working on a linux/unix computer and has a recent version of the J2SDK installed. The SDK comes with all the keytool and jarsigner utilities included.

Begin by creating a user on the system who is going to be responsible for the signing process. I would recommend setting up a dummy user for each client/company you are working for so that each one can have their own keystore and always use the same password...
bash $  adduser fred
bash $  su fred
fred@brezhnev $ cd


fred@brezhnev $  /usr/local/java/bin/keytool -genkey -keyalg RSA -alias fred

Note, the keyalg option is important. If you forget this bit the Verisign site will return a message which said 'errors.100' - at this stage of the keygen process you must specify the RSA key algorithm.

Anyway, You will then be asked a heap of questions as follows:
Enter keystore password:  mooface
What is your first and last name?
  [Unknown]:  Christopher Lacy-Hulbert
What is the name of your organizational unit?
  [Unknown]:  Technical Department
What is the name of your organization?
  [Unknown]:  Company name Ltd
What is the name of your City or Locality?
  [Unknown]:  London
What is the name of your State or Province?
  [Unknown]:  London
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=Christopher Lacy-Hulbert, OU=Technical Department, O=Company name Ltd, L=London, ST=London, C=GB correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):  mooface
fred@brezhnev $
fred@brezhnev $

So that has just generated a key pair. The public key is stored in an X.509v1 self signed certificare which is stored as a single element certificate chain. The certificate chain and the private key are stored in a new keystore for the user (in this case fred).

Generate Certificate Request

Now the second stage is to generate the certificate request. This is just a bundle of text which is sent to the CA. They will then authenticate you and they will send back a certificate which they have signed which authenticates your public key. This certificate is then finally imported using keytool's -import utility, but that's not till later. So first let's cenerate the Certificate Signing Request (csr). First we call keytool and pass the certreq option with the correct alias (which if you followed the suggestions earlier in this tutorial will be the username pertaining to your company or client). The -file options tells keytool where to put the certificate request data. You can make this file name up - call it bertie.txt if you want. It doesn't really matter. If you don't specify a file, then data will just be echoed back to your screen.
fred@brezhnev $ /usr/local/java/bin/keytool -certreq -alias fred -file cert_req.csr
Enter keystore password:  ********

So now the job is actually done - using the ls command, we can see the new file (cert_req.csr) sitting there:
fred@brezhnev $ ls -al
total 24
drwx--x--x    2 fred users        4096 Jun 25 13:40 .
drwxr-xr-x   13 root     root         4096 Jun 25 13:23 ..
-rwx------    1 fred users        1531 Jun 25 13:29 .bashrc
-rw-r--r--    1 fred users        1317 Jun 25 13:31 .keystore
-rw-r--r--    1 fred users        3394 Jun 25 13:23 .screenrc
-rw-r--r--    1 fred users         970 Jun 25 13:40 cert_req.csr

And if you peek inside it you can see the certificate request data:
fred@brezhnev $ cat cert_req.csr

All you have to do now is visit the verisign site ( and submit the block of text in your certificate request, along with your credit card details. Verisign will then attempt to verify that you are who you say you are (ie that you are a trusted body) and in return they will send you a signed certificate.

I'll come back in a few days and write more about the importing process for applet signing certificates.

till then,