How to get a free codesigner certificate, and sign Java jars with it

Oracle is (rightfully!) tightening the security requirements around the .jnlp web starter more and more. Formerly, they were just started; later, you got warning messages if they weren’t signed with a proper certificate, and in the newest versions, you need to explicitly manage a list of servers you permit execution from.

So, even if you’re a developer of open source, or freeware, you need to sign your code, which requires a certificate, which normally costs money. Unless you use the services of the nice company Unizeto, who, with their Certum certificates, give code signing certificates to open source developers for free.

To get started, sign up, and browse to the order list. Click the Activate button.

To make sure your key remains with you, you should generate the key and CSR yourself. This is done with openssl:

openssl req -out GuntramBlohm.csr -new -newkey rsa:2048 -nodes -keyout GuntramBlohm.key

Answer the questions, and you’ll get a GuntramBlohm.csr and GuntramBlohm.key file in your current directory. Copy/Paste the contents of the csr file into the text box, and press next.

You’ll get two emails to the address you used with openssl. One of them with an email verification link; the other one asks the name of your open source project and its web address. Click the link in the first mail, and send the verification information to the address mentioned in the second mail.

After a while – it took 30 minutes for me – you’ll get another mail with a link stating where to download your certificate.

The page that holds your certificate has a “Install online” link, and many web tutorials tell you to use that to install your certificate, then export it from the browser. However, that only works if your browser knows the key, and it also means you need to use the same browser and computer you use when you requested the certificate. But we have the key in a separate file. So, here is what to do:

* Get the plain text pem version of the certificate, and save it. In my example, i saved it to GuntramBlohm.crt.
* Also, get the root CA and intermediate CA keys from Certum. They can be downloaded from,expertise_root_certificates.xml. (This took me quite a while to figure out, i didn’t find a link to that page anywhere on the Certum site, and google didn’t find it as well. Finally, google found a link to a page explaining how to code sign with firefox which had the link). I downloaded the Certum Certification Authority Serial No:10020 and The Enterprise SSL
Public Key of Certum Level III CA Serial No:64FE29DCCF38E030DCFFE34D05689661
certs in PEM format, and concatenated both results to a chain.crt file.
* Create a pkcs12 file from the key, the certificate, and the ca chain:

openssl pkcs12 -export -in GuntramBlohm.crt -inkey GuntramBlohm.key -out GuntramBlohm.p12 -name GuntramBlohm -chain -CAfile chain.crt -caname root

You will be prompted for a password for the .p12 file – in this example, i’ll use secret.

If you want to check the contents of the .p12 file after creating it, use

openssl pkcs12 -info -nodes -in GuntramBlohm.p12

and make sure it contains your certificate, the 2 CA certificates, and your key.

Next, create a Java Keystore from the .p12 file. You’ll need to provide an alias, which is the name you’ll refer to the key when signing:

keytool -importkeystore -deststorepass secret -destkeypass secret -destkeystore GuntramBlohm.jks -srckeystore GuntramBlohm.p12 -srcstoretype PKCS12 -srcstorepass secret -alias guntramblohm

To check the resulting .jks keystore, use

keytool -list -v -keystore GuntramBlohmCodeSigning.jks

Warning: if you omit the -v, keytool will tell you your keystore has 1 entry, which might confuse you, as it should contain your key, your certificate, the intermediate certificate, and the root certificate. But they count as one entry because they’re all needed for your cert. -v after -list will still list all of them.

To make netbeans sign my .jar files, i chose Run/Set Project Configuration/Customize, and in Application/Webstart, pressed the Customize button once more. Then, i chose ‘sign by a specific key’, set the keystore path to the jks file, the key alias to the alias chosen earlier, and the two passwords to secret.

Or, from the command line, use

jarsigner -keystore ~gbl/GuntramBlohmCodeSigning.jks -storepass secret -keypass secret DiskSpaceViewer.jar guntramblohm

Leave a Reply

Your email address will not be published. Required fields are marked *