Set up and use your Oracle Java code signing certificate
In Java, the process for setting up your DigiCert® Code Signing Certificate consists of (1) creating a Java Keystore and a Certificate Signing Request (CSR) and then (2) installing your DigiCert generated code signing certificate file to the Keystore file from where the CSR was generated.
If you already set up your code signing certificate and are ready to sign your Java .jar files, see our Sign Java .jar files with jarsigner instructions.
Java CSR Creation and Codes Signing Certificate Installation
Before you begin
Make sure you have installed the Java Development Kit (JDK) on your server or local computer. You can run the commands in these instructions wherever you have the keytool command available.
After creating your CSR, make sure to track your keystore file. This file contains your private key. In addition, you need the keystore file to install your issued DigiCert® Code Signing certificate.
If you plan to run the commands in these instructions from a Windows Server, use the command prompt. Ensure that your JDK bin folder is already in your PATH environment, for example, C:\Program Files\Java\jdk1.7.0_02\bin. You can also change directories into your JDK bin folder and run the keytool directly from there. If you use this option, after you create your new keystore and CSR files, you will need to move them to a more useful location.
Create a Java Keystore file and CSR
If you are familiar with using TSL/SSL certificates in a Java environment, creating a keystore and CSR for a code signing certificate is identical. See Java Keytool CSR Creation.
In the command prompt, run the command below to create the keystore and key.
keytool -genkey -alias server -keyalg RSA -keysize 4096 -keystore keystore.jks
Enter the information below, as prompted.
This command creates a Java Keystore file called keystore.jks.
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Firstname Lastname or YourCompanyName
What is the name of your organizational unit?
What is the name of your organization?
[Unknown]: YourCompanyName or Firstname Lastname
What is the name of your City or Locality?
What is the name of your State or Province?
[Unknown]: YourState or YourProvince
What is the two-letter country code for this unit?
Is CN=YourCompanyName or Firstname Lastname, OU=YourDepartment, O=YourCompanyName or Firstname Lastname, L=YourCity, ST=YourState, C=US correct?
Enter key password for <server>
(RETURN if same as keystore password):
In the command prompt, run the command below to generate the CSR from the keystore.
This command creates a private key and a CSR and saves them as a .jks file. and as a .csr file.
The password is the same password that you used in Step 2.
keytool -certreq -alias server -file csr.csr -keystore keystore.jks
Enter keystore password:
When placing your code signing certificate order with DigiCert, open the csr.csr file with any text editor. Then, copy and paste the contents into the CSR box in our order form.
Hold on to the keystore. Do not forget the keystore password. You need this password to install your DigiCert® Code Signing certificate. You also need the keystore password each time that you use the certificate to sign code.
Install your DigiCert® Code Signing certificate
Once you have the signed code signing certificate file from DigiCert, install it in the keystore you created when creating the CSR.
In the command prompt, run the command below to install the certificate.
keytool -import -trustcacerts -alias server -file YourName.p7b -keystore keystore.jks
You will receive a message stating: "Certificate reply was installed in keystore."
If asked to trust the certificate, type y or yes.
You've installed your code signing certificate and are ready to sign code.
Sign Java .jar files with jarsigner
After correctly installing the Certificate Authority (CA) signed code signing certificate in the keystore you created, you are ready to start signing code. Use jarsigner to sign and verify the signature on .jar files.
In the command prompt, run the command below to sign your file.
Replace YourPassword with the password used to generate your keystore. Replace YourAlias with the appropriate alias assigned when you generated your CSR.
If you used our Java Keytool CSR Wizard, the alias automatically generated for you is server.
jarsigner -tsa http://timestamp.digicert.com -keystore c:\path\to\your\keystore.jks -storepass YourPassword c:\path\to\your\file.jar YourAlias
Note: This command does not provide any output to indicate that your code was successfully signed.
In the command prompt, run the jarsigner -verify command below to verify the .jar file was signed successfully.
jarsigner -verify -verbose -certs c:\path\to\your\file.jar
You will see an output that includes the line below confirming your code was signed successfully.
s = signature was verified
Get code signing certificates for just $474/yearBuy Now