URL:

Full Text:

Ok this will need a lot of patience so please bear with me.

First you need to obtain some certificates from Thawte. Strangely enough that part is easy. Before you begin you will need to install the latest Sun Java Development kit obtainable from the Sun download site. It's free. Go get it.

Now all you do is follow these instructions.

Richard Dallaway of www.dallaway.com wrote:

I took a good look at the list of certificate authorities known to Web Start and one stuck out: Thawte Freemail. In particular, the word "free". I chased this down and it is indeed a free (no money) way to get a certificate for code signing.

The steps are simple enough:

Sign up for a "personal email certificate". There are quite a few screens to fill in, but follow the process through up until the point where you're asked to select the X.509 email certificate you want. At that point scroll down to "Developers of New Security Applications ONLY", follow the link and select "Paste-in CSR Certificate Enrollment". There's quite a bit of clicking from this page to get to the page with a text box that allows you to enter your public key. When you get to the "public key" page you need to generate a key with keytool.

Run the Java keytool utility.

First, generate a RSA key. You'll be asked all sorts of information. The important thing to remember is that your name must be set according to the common name you're told to use on the Thawte web site. It'll be something like XVV6ePaMGHEPJN22. When the keytool prompts you to enter your name, enter this value from Thawte. The other important thing to remember is the password you use when you create a key.

Obviously change your "alias" name and the location of the "keystore" file if you like, but run something like this:

keytool -genkey -keyalg RSA -keystore keystore -alias dallaway

Next, export the key to a text file, which in this example is "csr.txt":

keytool -certreq -keystore keystore -file csr.txt -alias dallaway

Take the text of "csr.txt" and paste it into the Thawte form and wait. That's your certificate request. Mine took about 20 minutes to process, and I was notified that it was ready by email.

When you download your certificate, it's in two formats: Netscape and PKCS7. You want the save the PKCS7 version in a file called "my.cert" (or similar) and then run:

keytool -import -file my.cert -alias dallaway -trustcacerts -keystore keystore

Thawte have changed their certificate format, causing the above step to fail. I'm hoping this is a temporary situation that Thawte will fix. In the meantime, if the above import command fails, it could be because of Thawte's change to their file format. Nicolas Carranza has kindly supplied some Java source for fixing the Thawte certificate format problems. I've packaged this as a jar to download. Run it like this:

java -jar thawtecleaner.jar my.cert

and it will create my.cert.clean, which you can then use in the keytool -import command, above.

That's it. You have a certificate that's good for a year, after which it can be renewed

The thawtecleaner.jar file is here (also attached below).

Now you need to obtain an Email Cert for Microsoft from the same place. Just follow the same instructions, but choose the MS Email path and allow it to be installed for you.

Microsoft is no longer distributing its code signing tools. You might still find versions of them here (also attached below).

When you have all this set up and ready you need to run signcode.exe to sign the cab file, which is pretty self explanatory. Delete the securedirc.cab, and copy the unsigned-securedirc.cab to securedirc.cab and browse for it with the signcode application. Just select the email cert to sign with. Don't worry. It'll be ok. Make sure you write something that your people will recognize in the description. It will make them trust it better.

In order to sign the jar file you will need to open a command window and CD to the folder with the jar in it. I place the jar in the same folder as the utility, but you can always add it to the path I guess. Then you run a command similar to. Code:

C:\j2sdk1.4.2_01\bin\jarsigner -keystore C:\j2sdk1.4.2_01\bin\keystore -storepass MyPasswd irc.jar MyAlias

Last edited by Thema on Fri Mar 16, 2007 5:41 pm; edited 5 times in total

• Tagged
• XML
• BibTex