Wednesday, 20 January 2010

How to import a CA certificate into java

How to
import a private and public key for jarsigning

The Sun keytool command does not support importing a private key. This is a very serious problem if you have bought a CA-signed certificate for your site and need to sign JAR files. Unless a CA-signed certificate is used, then JNLP (Java WebStart) applicatioins that require permissions to run (which they will nearly always do) will always prompt the user to grant access to run. The message tells that user that this is strongly not recommended. Not useful for JNLP-deplayed applications!

Keytool assumes that you will use the -genkey option to generate a new public/private key pair which is not useful for established ISPs and software houses! Almost without exception a SSL-using, CA-signed certificated owning organisation would have used openssl to generate the public/private keys and the CSR sent to the CA for signing. This allows the certificate to be used by Apache and other applications.

So the answer is to import the private key into the java keystore or cacerts file. Unfortunately, as keytool doesn't support this, you are at a dead end. However, a little known trick is that .p12 files can be used as keystore files. So if you export your private and public keys into a .p12 file, you can then import your CA-signed certificate and Bob's your Uncle.

First of all, make certain that your existing pem file contains the CA certificate. I.e. That it's the complete keyring with both the private and public keys contained ready for use with code signing.

This is how to export your existing pem files into a p12 format:

openssl pkcs12 -export -in -out .p12-name ""

You can verify that the Java utlities can read this by doing a list in keytool. This is how:

keytool -keystore -list -storetype pkcs12 ""

Now you are ready to code sign! Just make sure that you put the keystore type in the front part of the command and also that you give the path to the p12 file. Here is an example:

$JAVA_HOME/bin/jarsigner -keystore < path to p12 file> -storetype pkcs12 myfile.jar ""


No comments:

Post a Comment