Create a keystore, I started with a p12.
Find the alias for the imported p12, if needed.
Sign the jar with jarsigner:
> jarsigner -keystore keystore.jks myjartosign.jar “my alias in the keystore” -tsa “www.example-tsa.com”
You will get an warning if you don’t use a url to a tsa. I googled my certificate authority and looked up their tsa on their knowledge base.
In my case I used Comodo, and their tsa is “http://timestamp.comodoca.com/rfc3161“.
Click here if you need to create a keystore. I started with a p12.
When you need your certificate out of a keystore you will need to know the alias of the certificate.
First list the keystore’s contents:
> keytool -list -keystore keystore.jks
You should expect output like this:
My websites’s comodo ca limited id, Jan 1, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 45:32:13:3D:F2:1D:F7:DA:84:6A:43:DF:1E:86:B3:64CB:4B:3D
The alias is everything before the first comma:
“My websites’s comodo ca limited id”
Verify the alias:
> keytool -list -keystore keystore.jks -alias “My websites’s comodo ca limited id”
If it worked it should list the above certificate info, and now you have the alias.
You will need a keystore to sign jars. In my case I was given a p12 file from my Certificate Authority. It took a while but I finally found how to make a keystore from my p12.
You don’t need a keystore to exist to import a p12:
> keytool -v -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
Now the keystore will have the contents of the p12, which is the certificate and the key.
With the new Java update 7.51 all applets must follow new guidelines:
- All code for Applets and Web Start applications must be signed
- Permissions attribute in the manifest must be set, no default
Read more here
What this means is any applet that currently exists that is not signed, has an expired certificate, or doesn’t have the permissions attribute will no longer work. As a side job I make sure photodepository.com works, and it was affected by this so here’s how to fix it.
- Buy a code signing certificate
- Resign your applet
- Create a txt file for the manifest additions. Here are the contents:
- Extract you jar:
> mkdir jarname
> mv jarname.jar jarname
> cd jarname
> jar xf jarname.jar
- Remove the META from the extract
> rm -r META-INF/
- Rejar the applet and include the required manifest additions
> jar cfm jarname.jar ../manifestAdditions *
- Sign the jar. Here’s my posts to do the signing:
> Create a Java keystore from a p12 file
> Finding an imported certificate’s alias in a java keystore
> How to sign a jar
New website! I’ve been thinking about buying a personal domain for a while and now I did.