Signing Adobe AIR® Applications

If you need to publish your Adobe Flash code for your AIR applications an EV Code Signing Certificate is a great way to go. With an EV Code Signing Certificate you will get all the benefits of extended validation that you and your customers deserve. Your customers will get the assurance of knowing your company has gone through the rigorous vetting standards before you were issued your certificate, and you will employ a hardware requirement to help keep your private key safe.

Buy an EV Code Signing Certificate Today!

Buy Now

Configuring the Java JDK to use the eToken

First you will need to configure Java to use the PKCS#11 token. Since you may be using a few different versions of the Java Runtime Environment (JRE) or Java Development Kit (JDK) you will probably need to modify the folder paths to match the particular version installed to your computer. Change the ** to match the specific version you are using.

  1. Download the JDK (even if you are using a 64-bit version of Windows the 32 bit JDK is required).
    version 6 version 7

  2. Open notepad and copy and paste the following 2 lines into the document, and save this file as C:\eToken.cfg
    e.g. for JDK 1.6 C:\Program Files (x86)\Java\jdk1.6.0_**\bin
    e.g. for JDK 1.7 C:\Program Files (x86)\Java\jdk1.7.0_**\bin

    Note: If you are running a 32-bit version of Windows the Java JDK will be installed in C:\Program Files\Java\...


  3. Run Wordpad (Start > Accessories > Wordpad) and open the file from your Java Runtime Environment (JRE) installation.
    e.g. C:\Program Files\Java\jre1.7**\lib\security

    Search the file (Ctrl + F) for the following line:

    If it isn't already present add the following line right after the line above: /etoken.cfg

    Note: /etoken.cfg is the path to the etoken.cfg file, and cannot contain a drive letter, i.e. it must be on the same drive as the JDK installation.

    When Wordpad asks if you want to save the file as a text-only document choose yes.

  4. In Windows explorer, go to the folder 'C:\Program Files\Java\jdk1.7**\' hold shift down and right-click on the bin folder and choose 'Open Command Prompt here':

    Open Command Prompt in Windows Explorer

  5. Run the following command to find out which token slot your certificate is stored in:

    keytool -keystore NONE -storetype PKCS11 -list

    This command will display a lot of information. You need to scroll to the top where the information starts, and look for a line like this:

    Slots with tokens:# ('#' will be a number e.g. 0, or 2).
    If the slot used is 0, skip step 6.

    Keytool command output showing the certificate slot number on the hardware token.

    Remove the eToken device from the USB drive for a few seconds then plug it back in since it only allows you to run one keytool command at a time.

  6. Open the file etoken.cfg you created in step 2, and change the value after 'slot=' to match the slot from the previous keytool command then save the file.


    Note: 0 is the default slot, if you have added additional certificates to the token or re-keyed/re-issued your certificate may have a different number than the default.

  7. If you are using a 64-bit version of Windows you may be having issues when running the ADT command because PKCS11 access is only supported in the 32-bit version of the JRE. That being the case you may need to make sure the path listed for the JRE is pointing to the 32-bit version of Java instead of the 64-bit version.

    Open the Advanced System Settings to edit the path:
    Start > Control Panel > System > Advanced System Settings > click the Advanced tab > Environment Variables

    Add the path to the 32-bit version of the JDK for the version you are using line to the end of the path Variable Value as shown below:
    (existing path variables);C:\Program Files\Java\jdk1.6.0_**\bin

    After editing that path paste it into the Variable value and click Ok.

Sign Code through the Command-Line Utility ADT

Before running the ADT command it is a good idea to make sure that it is using the 32-bit version of Java instead of the 64-bit one.

  1. Go to the folder where you downloaded the Adobe Air SDK, and go to the bin subfolder.

  2. Make a backup of the file adt.bat (e.g. make a copy so it says 'adt - copy.bat').

  3. Edit adt.bat to point to the 32-bit JDK installation:

    "C:\Program Files (x86)\Java\jdk1.7.0_05\bin\java.exe" -jar "%~dp0\..\lib\adt.jar" %*

  4. Run the ADT command on a single line to sign your app:

    adt -sign -tsa -storetype PKCS11 -providerName SunPKCS11-eToken "path\to\YourApp.air"

    If the command runs successfully it should ask you for your password and then have a blank line after completion and return you to the commandline. Your AIR file should now be successfully signed by your EV Code Signing Certificate.

Follow the steps below to use the command-line tool 'Air Development Tool' to sign your Adobe AIR applications using your EV Code Signing Certificate.


If you want ADT to list all of the certificates on your device, run the following command (note your token must be plugged in before running this command):

Additional Helpful Keytool and ADT Command Options

To list all of the certificates in the current user account (this will include personal certificates or standard non-EV Code Signing Certificates).

keytool -list -storetype Windows-MY

You can then use the -alias command listed further.

To list certificates by their alias, run the following command:

keytool -list -keystore NONE -storetype PKCS11 -providerClass -providerArg "c:\eToken.cfg"

With the ADT command you can specify a particular certificate to use with '-alias CN=YourCompany, Inc.' like this:

adt -alias "CN=YourCompany, Inc." -storetype PKCS11 -providerName -tsa "path\to\AIRappToSign"

Error Messages

"requested provider is not available"
This error message could mean a couple different things. First, you might be trying to use the ADT command using the 64-bit java installation, or you don't have security.lib file configured correctly pointing to the etoken.cfg file.

"Could not generate timestamp: handshake alert: unrecognized_name"
This means you forgot the -tsa line

"Unable to build a valid certificate chain for the signer"
This means you don't have the chain certificate (i.e. intermediate), and root certificate installed installed onto your device, and you will need to reinitialize your device and re-key your certificate.

"keytool error: PKCS11 not found"
This error comes up when trying to run the keytool command from the 64 bit Java installation (C:\Program Files\Java\jdk**\bin\) instead of the 32 bit one (C:\Program Files (x86)\Java\jdk**\bin\).