вторник, 30 июля 2013 г.

Java code signing with StartSSL Object Code certificat

Create a key and a certificate signing request with OpenSSL:
openssl req -new -newkey rsa:4096 -keyout your_key.pem -out your_csr.pem

On StartSSL site under “Object Code Signing” in the second tab on the StartSSL control panel you paste the content of your_csr.pem file and then submit it. At the end of this procedure you receive the certificate in a text field, which you save into a text file under for example your_cert.pem name.

keytool can't import keypair directly for now, but it can inport keystore in different storefornat. That is why intermediate keystore of keypair must be created and pkcs12 storetype used for this:
openssl pkcs12 -export -in your_cert.pem -inkey your_key.pem -out your_keypair.p12 -name YourAlias
During execution of this command you will be prompt for your_key.pem pass phrase which was entered on key generation and for new export password.

Now create final keystore in JKS storetype and add StartSSL base certificates for proper certificate chaining (this step must be done, because base StartSSL certificates is not including by default in JDK yet):
keytool -import -noprompt -trustcacerts -alias startcom.ca -file ca.crt -keystore your_keystore.jks -storepass <your_keystore_pass>
keytool -import -alias startcom.ca.sub -file sub.class2.code.ca.crt -keystore your_keystore.jks -storepass <your_keystore_pass>

The final step it to add keypair from intermediate keystore to final keystore:
keytool -importkeystore -destkeystore your_keystore.jks -deststorepass <your_keystore_pass> -destkeypass <your_key_pass> -srckeystore your_keypair.p12 -srcstoretype PKCS12 -srcstorepass <your_keypair_pass> -alias YourAlias 



For now you can signed your jar with created key:
jarsigner -verbose -keystore your_keystore.jks -storepass <your_keystore_pass> -keypass <your_key_pass> YourJar.jar YourAlias 

Check that jar was signed correct
jarsigner -verbose -verify -certs YourJar.jar -keystore your_keystore.jks