Certified and signed JAR files

This should help you if you want to sign a java application using a trusted certifier (in this case DFN). This is a quite complicated process and here are some fragments of the tasks to do. The main tools used are keytool and jarsigner of the java package.

First you have to create a key which is only selfsigned. Choose a password which you use nowhere else and which might occur in scripts or Makefiles, because you do not want to type it every time you create a jar.

keytool -genkeypair -keyalg RSA -keysize 2048 -validity 1825  -keystore programmname.keystore -alias programmname -storepass password

If you want this key certified by DFN, then O=Universitaet Bielefeld, L=Bielefeld, ST=Nordrhein-Westfalen, C=DE are fixed. You name will be checked on your passport later!

Enter the details like this: (to avoid this you could give the option -dname “CN=<Your Name>, OU=CeBiTec, O=Universitaet Bielefeld, L=Bielefeld, ST=Nordrhein-Westfalen, C=DE”)

What is your first and last name?
  [Unknown]:  <Your Name>
What is the name of your organizational unit?
  [Unknown]:  CeBiTec (for example)
What is the name of your organization?
  [Unknown]:  Universitaet Bielefeld
What is the name of your City or Locality?
  [Unknown]:  Bielefeld
What is the name of your State or Province?
  [Unknown]:  Nordrhein-Westfalen
What is the two-letter country code for this unit?
  [Unknown]:  DE
Is CN=<Your Name>, OU=CeBiTec, O=Universitaet Bielefeld, L=Bielefeld, ST=Nordrhein-Westfalen, C=DE correct?
  [no]:  yes

After this step you have to export a certificate request

keytool -keystore programmname.keystore -alias programmname -storepass password  -certreq -file program.pem

Submit the resulting file program.pem at Zertifikate/Serverzertifikat on the following page: https://pki.pca.dfn.de/uni-bielefeld-ca/cgi-bin/pub/pki

For type “Zertifikatsprofil” choose “Web Server”. This will have to be changed later because the correct “Code Signing” can not be chosen in this web form.

After filling in the form you have to print a formular which you can download. Fill in the necessary information and go to mathias.blunk at uni-bielefeld.de (V0-241). Tell him, that he has to change the role (Rolle) of the certificate from “Web Server” to “Code Signing” before approval. If he has objections to changing the role, ask him to write a mail to the DFN-CA, asking for their policy towards changing the role for code signing. He will check the information and submit the request. After that you will receive your personal certificate via email to the specified address within minutes.

Integrating the certificate, however, is a bit tricky. First you'll have to install a chain of certificates which are higher in the hierarchy. Download the “Wurzelzertifikat”, “DFN-PCA Zertifikat” and “HRZ Uni Bielefeld CA Zertifikat” from the following url: https://pki.pca.dfn.de/uni-bielefeld-ca/cgi-bin/pub/pki?cmd=getStaticPage;name=index;id=2

Then add each one to a new alias to your keystore:

keytool -keystore programmname.keystore -storepass password  -importcert  -trustcacerts -file g_rootcert.crt -alias rootca
keytool -keystore programmname.keystore -storepass password  -importcert  -trustcacerts -file g_intermediatecacert.crt -alias intermediateca
keytool -keystore programmname.keystore -storepass password  -importcert  -trustcacerts -file g_cacert.crt -alias ca

And after that you can import the certificate which you recieved by mail:

keytool -keystore programmname.keystore -alias programmname -storepass password -importcert -trustcacerts -file myCertificate.pem

After that you can sign you application by first creating a jar file and then calling:

jarsigner -keystore /path/to/keystore/programmname.keystore  -storepass password jarfile.jar programname(alias)

I recomend to put this in a Makefile

In case of multiple depending jars, you should first try to sign them all with your certificate. If that fails, this can have a number of reasons. The most probable one is, that the jar has already been signed by someone else, in which case a rare error can occur, which is related to the manifest entry of a signature in the jar file. Simply unzip the jar file, remove the signing information and zip it again. Then, you should be able to sign it. This procedure can also be used, if you depend on an already signed jar, whose signature has expired. Non the less, this should only be done, if you are sure that you can trust the code contained in those third-party jar files.