Set up and use your Oracle Java code signing certificate

In Java, the process for setting up your DigiCert® Code Signing Certificate consists of (1) creating a Java Keystore and a Certificate Signing Request (CSR) and then (2) installing your DigiCert generated code signing certificate file to the Keystore file from where the CSR was generated.

If you already set up your code signing certificate and are ready to sign your Java .jar files, see our Sign Java .jar files with jarsigner instructions.

Java CSR Creation and Codes Signing Certificate Installation

Before you begin

Make sure you have installed the Java Development Kit (JDK) on your server or local computer. You can run the commands in these instructions wherever you have the keytool command available.

After creating your CSR, make sure to track your keystore file. This file contains your private key. In addition, you need the keystore file to install your issued DigiCert® Code Signing certificate.

If you plan to run the commands in these instructions from a Windows Server, use the command prompt. Ensure that your JDK bin folder is already in your PATH environment, for example, C:\Program Files\Java\jdk1.7.0_02\bin. You can also change directories into your JDK bin folder and run the keytool directly from there. If you use this option, after you create your new keystore and CSR files, you will need to move them to a more useful location.

Create a Java Keystore file and CSR

If you are familiar with using TSL/SSL certificates in a Java environment, creating a keystore and CSR for a code signing certificate is identical. See Java Keytool CSR Creation.

  1. In the command prompt, run the command below to create the keystore and key.

    keytool -genkey -alias server -keyalg RSA -keysize 4096 -keystore keystore.jks
  2. Enter the information below, as prompted.

    This command creates a Java Keystore file called keystore.jks.

    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
     [Unknown]: Firstname Lastname or YourCompanyName
    What is the name of your organizational unit?
     [Unknown]: YourDepartment
    What is the name of your organization?
     [Unknown]: YourCompanyName or Firstname Lastname
    What is the name of your City or Locality?
     [Unknown]: YourCity
    What is the name of your State or Province?
     [Unknown]: YourState or YourProvince
    What is the two-letter country code for this unit?
     [Unknown]: US
    Is CN=YourCompanyName or Firstname Lastname, OU=YourDepartment, O=YourCompanyName or Firstname Lastname, L=YourCity, ST=YourState, C=US correct?
     [no]: yes
    Enter key password for <server>
     (RETURN if same as keystore password):
  3. In the command prompt, run the command below to generate the CSR from the keystore.

    • This command creates a private key and a CSR and saves them as a .jks file. and as a .csr file.

    • The password is the same password that you used in Step 2.

    keytool -certreq -alias server -file csr.csr -keystore keystore.jks
    Enter keystore password:
  4. When placing your code signing certificate order with DigiCert, open the csr.csr file with any text editor. Then, copy and paste the contents into the CSR box in our order form.

    Hold on to the keystore. Do not forget the keystore password. You need this password to install your DigiCert® Code Signing certificate. You also need the keystore password each time that you use the certificate to sign code.

Install your DigiCert® Code Signing certificate

Once you have the signed code signing certificate file from DigiCert, install it in the keystore you created when creating the CSR.

  1. In the command prompt, run the command below to install the certificate.

    keytool -import -trustcacerts -alias server -file YourName.p7b -keystore keystore.jks
  2. You will receive a message stating: "Certificate reply was installed in keystore."

  3. If asked to trust the certificate, type y or yes.

  4. You've installed your code signing certificate and are ready to sign code.

Sign Java .jar files with jarsigner

After correctly installing the Certificate Authority (CA) signed code signing certificate in the keystore you created, you are ready to start signing code. Use jarsigner to sign and verify the signature on .jar files.

  1. In the command prompt, run the command below to sign your file.

    Replace YourPassword with the password used to generate your keystore. Replace YourAlias with the appropriate alias assigned when you generated your CSR.

    If you used our Java Keytool CSR Wizard, the alias automatically generated for you is server.

    jarsigner -tsa -keystore c:\path\to\your\keystore.jks -storepass YourPassword c:\path\to\your\file.jar YourAlias

    Note: This command does not provide any output to indicate that your code was successfully signed.

  2. In the command prompt, run the jarsigner -verify command below to verify the .jar file was signed successfully.

    jarsigner -verify -verbose -certs c:\path\to\your\file.jar
  3. You will see an output that includes the line below confirming your code was signed successfully.

    s = signature was verified

Get code signing certificates for just $474/year

Buy Now