With the bunch of programming codes and programs found on the Web this days, Code Signing Certificates are fact and necessity. But the people who are end-users or developers are still in process of adjusting the awareness what programs/scripts/code are safe and junk free and should be trusted before running them on local machine. With this little guide I want to help new people which are diving into this area of problems.
Different platforms offer different way for code signing their apps , and in this post I will focus just on Java based systems.
Java web and desktop apps are bound with keystore files that keep the certificate chains signed by Internet authorities. With this technique it is easy to make distinction from trusted to untrusted programs with investment of some time and money.
Generally the process of creating Java keystore that can sign applications(source codes) can be covered in couple of steps that include the client and the certificate issuer:
- The client creates keystore file and generates private and public key pair
- The client exports Code Signing Request from the keys with personal and trustworthy data
- The client sends the CSR to Certificate issuer and waits for approval. Normally it is contacted during pending time.
- Certificate Issuer sends to the client the signed certificate and probably additional intermediate/root chain certificates that need to be included into the keystore.
- The client imports the certificate (probably in pkcs7 format) into the original keystore that was used to generate the keys and CSR with the appropriate alias that was used during the creation of the keystore.
- The keystore is included in Java applications and referenced with the alias so to sign the JARs used in the apps.
However it can happen the client to receive private key that ought to be used, without previously creating a valid keystore and generating key pair within it. This received key was used for generating CSR and certificate request was already sent to authority.
Well at this point it gets confusing what is the next step that should be taken and is it possible this key to be used for creating a new keystore? Some will say it is not possible (and seems logical because keytool doesn’t allow it), you will need to create new keystore and generate key pair and issue a new certificate request with the CSR exported from this keystore key pair. That’s not true though, there is always a way.
Let’s suppose the original request has been approved and you received valid certificate cert.crt. At this point you have private.key and trusted cert.crt.
This files need to be merged and exported into pkcs12 format with the help of libssl library.
openssl pkcs12 -export -in cert.crt -inkey private.key -certfile cert.crt -name <certificate(alias)_name> -out keystore.p12
Next this new generated keystore.p12 should be used to create new keystore in JKS format with the help of keytool from the JDK.
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
And that’s it voila! We have created keystore in jks format from existing private key.
After we have the keystore needed it is easy to import new certificates if required. Example:
keytool -import -trustcacerts -alias <alias(certificate)_name> -keystore keystore.jks -file <certificate_filename>
That’s it, three commands that will make your life easier.