Professional Documents
Culture Documents
Java Rich Internet Applications Guide > Security > Signing Applets Using RSA
Certificates
Introduction
Signing Tools
Getting RSA Certificates
Getting Certificates With Jarsigner
Bundling Java Applets as JAR Files
Signing Java Applets
Signing Applets Using jarsigner
Signing Applets Using Netscape Signing Tool
Converting Old Netscape-Signed Applets
Microsoft Authenticode
Common Problems
Introduction
RSA-signed applets are supported to make deployment of signed applets easier.
However, signing applets through RSA is still difficult for most novice applet
developers and prevents them from taking full advantage of this Java Plug-in
feature. This document provides step-by-step instructions for signing applets using
RSA certificates, allowing novice applet developers to sign their applets without
having to wade through the many complex security issues involved.
Signing tools
An RSA keypair and a certificate chain for the public keys
The applet and all its class files, bundled as JAR files
Signing Tools
Java Plug-in supports the format of the following tools for signing applets using
RSA:
Use keytool to generate an RSA keypair (using the "-genkey -keyalg rsa" options).
Make sure your distinguished name contains all the components mandated by
VeriSign/Thawte. For example:
C:\Program Files\Java\jdk1.8.0\bin\keytool -genkey -keyalg rsa -alias MyCert
Enter keystore password: *********
What is your first and last name?
[Unknown]: XXXXXXX YYY
What is the name of your organizational unit?
[Unknown]: Example Software
What is the name of your organization?
[Unknown]: New Technology Company
What is the name of your City or Locality?
[Unknown]: Cupertino
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is <CN=XXXXXXX YYY, OU=Example Software, O=New Technology Company,
L=Cupertino, ST=CA, C=US> correct?
[no]: yes
You must use the same alias name for all the above steps or no alias name, in which
case the alias name defaults to "mykey".
Use jarsigner to sign the JAR file, using the RSA credentials in your keystore that
were generated in the previous steps. Make sure the same alias name is specified.
E.g.,
C:\Program Files\Java\jdk1.8.0\bin\jarsigner C:\TestApplet.jar MyCert
Enter Passphrase for keystore: ********
Use "jarsigner -verify -verbose -certs" to verify the jar files
C:\Program Files\Java\jdk1.8.0\bin\jarsigner -verify -verbose
-certs d:\TestApplet.jar
jar verified.
Your applet has been signed properly. You are now ready to deploy your RSA signed
applet.
Signing Applets Using Netscape Signing Tool
To sign applets using signtool, follow these steps:
Use "signtool -L" to determine the certificate nickname that should be used in
signing. E.g.,
C:\signtool13WINNT40\signtool -L -d a:\cert
using certificate directory: a:\cert
S Certificates
- ------------
AT&T Certificate Services
Thawte Personal Premium CA
GTE CyberTrust Secure Server CA
Verisign/RSA Commercial CA
AT&T Directory Services
BelSign Secure Server CA
BelSign Class 1 CA
GTIS/PWGSC, Canada Gov. Web CA
Thawte Personal Freemail CA
Thawte Server CA
GTIS/PWGSC, Canada Gov. Secure CA
MCI Mall CA
VeriSign Class 3 Primary CA
VeriSign Class 4 Primary CA
KEYWITNESS, Canada CA
BelSign Class 2 CA
BelSign Object Publishing CA
* Sun Microsystems, Inc.
VeriSign Class 3 CA - Commercial Content/Software
Publisher - VeriSign, Inc.
Verisign/RSA Secure Server CA
VeriSign Class 1 Primary CA
BBN Certificate Services CA Root 1
Thawte Personal Basic CA
* Sun Microsystems, Inc.'s VeriSign, Inc. ID
CertiSign BR
VeriSign Class 2 Primary CA
Canada Post Corporation CA
Integrion CA
IBM World Registry CA
BelSign Class 3 CA
Uptime Group Plc. Class 1 CA
Uptime Group Plc. Class 2 CA
Thawte Premium Server CA
Uptime Group Plc. Class 3 CA
GTE CyberTrust Root CA
Uptime Group Plc. Class 4 CA
- ------------
Signer information:
To migrate Netscape-signed applets using the Netscape security APIs to run in Java
Plug-in:
Comment or remove all netscape.security.* related statements from the Java applet.
Compile and archive the applet as a JAR file.
Re-sign the JAR file using Object Signing.
This ensures that an RSA signed applet will run in both Netscape Navigator and
Internet Explorer with Java Plug-in.
Microsoft Authenticode
Authenticode is a proprietary signing technology used in Microsoft Internet
Explorer on Win32 for supporting signed applets in IE's JVM. Authenticode is not
supported in Java Plug-in. Instead, the Java Plug-in supports use of RSA signed
applets in both IE and Netscape.
Common Problems
If the JAR file is not signed properly, if the RSA certificate has expired, or if
the RSA certificate is a self-generated, self-signed certificate, Java Plug-in may
fail silently and not pop up the security dialog. The applet will be treated as
unsigned.