How To Sign a Java Applet The purpose of this document is to document the steps required to sign and use
an applet using a self-signed cert or CA authorized in the JDK 1.3 plugin. The original 9 steps of this process were posted by user irene67 on suns message forum: http://forums.java.sun.com/thread.jsp?forum=63&thread=132769 -----begin irene67's original message These steps describe the creation of a self-signed applet. This is useful for testing purposes. For use of public reachable applets, there will be needed a "real" certificate issued by an authority like VeriSign or Thawte. (See step 10 - no user will import and trust a self-signed applet from an unkown developer). The applet needs to run in the plugin, as only the plugin is platform- and browserindependent. And without this indepence, it makes no sense to use java... 1. Create your code for the applet as usual. It is not necessary to set any permissions or use security managers in the code. 2. Install JDK 1.3 Path for use of the following commands: [jdk 1.3 path]\bin\ (commands are keytool, jar, jarsigner) Password for the keystore is any password. Only Sun knows why... perhaps ;-) 3. Generate key: keytool -genkey -keyalg rsa -alias tstkey Enter keystore password: ***** What is your first and last name? [Unknown]: Your Name What is the name of your organizational unit? [Unknown]: YourUnit What is the name of your organization? [Unknown]: YourOrg What is the name of your City or Locality? [Unknown]: YourCity What is the name of your State or Province? [Unknown]: YS What is the two-letter country code for this unit? [Unknown]: US Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity, ST=YS, C=US correct? [no]: yes (wait...) Enter key password for tstkey (RETURN if same as keystore password):
OU=YourUnit. ST=YS. Verify JAR: jar tvf tst. C=US (tstkey) s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified.SF 920 Thu Jul 27 13:04:12 GMT+02:00 2000 META -INF/TSTKEY. (Omitted See Below) -----end irene67's original message
.3) 10.jar 130 Thu Jul 27 13:04:12 GMT+02:00 2000 META -INF/MANIFEST.jar tst.3 (recommended to use HTML Converter Version 1. Create JAR: jar cvf tst.MF 183 Thu Jul 27 13:04:12 GMT+02:00 200 0 META-INF/TSTKEY.class 7. Verifiy Signing: jarsigner -verify -verbose -certs tst.RSA Thu Jul 27 12:58:28 GMT+02:00 2000 META -INF/ smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst. CN=Your Name. added manifest adding: tst. O=YourOrg. Sign JAR: jarsigner tst.class(in = 849) (out= 536)(deflated 36%) 6.class Add all classes used in your project by typing the classnames in the same line.crt 5. 9.MF 849 Thu Jul 27 12:49:04 GMT+02 :00 2000 tst.class X.jar tstkey Enter Passphrase for keystore: ***** 8.(press [enter]) 4.crt Enter keystore password: ***** Certificate stored in file tstcert. Create HTML-File for use of the Applet by the Sun Plugin 1.509.jar Thu Jul 27 12:58:28 GMT+02:00 2000 META -INF/ 68 Thu Jul 27 12:58:28 GMT+02:00 2000 META -INF/MANIFEST. L=YourCity. Export key: keytool -export -alias tstkey -file tstcert.
2) For development or otherwise.crt An applet signed with a cert that has been verified by a CA source will automatically be recognized by the plugin. change directory to where the JDK plugin key store is located. only the classes coming from the signed jar will work with the java. This means you can import your test certificate into this keystore and have the plugin recognize your jars when you sign them. regardless of which method you use. the JDK 1. Otherwise. To export request: keytool -certreg -alias tstkey -file tstcert.AllPermission setting and all other classes from unsigned jars will run in the sandbox. The user can choose to activate it if he / she chooses.1: C:\Program Files\JavaSoft\JRE\1.security.To make the plug-in work for any browser you have two options with the JDK 1.3.3 plugin will recognize all certs that have a root cert located in the JDK 1. you may want to just use your self-signed certificate. 1) Is to export a cert request using the key tool and send it to a CA verification source like verisign. In that case. To import self-signed certificate into the cacerts keystore.0_02: C:\Program Files\JavaSoft\JRE\1. For JDK 1.req To import response: keytool -import -trustcacerts -alias tstkey -file careply.3 cacerts keystore.3 plugin. you will need to sign those jars as well to allow them to execute in the client's brower. the applet should be recognized as coming from a signed jar.0_02\lib\security For JDK 1. If your applet uses classes from multiple jars. for example Apache's Xerce's parser.1\lib\security Import your self-signed cert into the cacerts keystore: keytool -import -keystore cacerts -storepass changeit -file tstcert. When the reponse comes back.3.3. import it into the keystore overwriting the original cert for the generated key.crt (the password is literally 'changeit')
There is no way to figure out the password if you forget it.NOTE: Unless otherwise specified by the -keystore command in all keytool and jarsigner operations. For most operations.
. but you can delete the default file and recreate it if necessary. the keystore file used is named '.keystore' in the user's home directory. using the -keystore command is safer to keep from cluttering or messing up your default keystore. The first time any keystore is accessed (including the default) it will be created and secured with the first password given by the user.