Copyright © 2004, 2005 TJ
The GNU General Public License version 2 or later applies to my ExportPrvKey.class. See http://www.gnu.org/licenses/gpl.html
Here's how to get and use a code-signing Thawte digital certificate to sign your Java JAR and Microsoft CAB, EXE, DLL, VBscript, etc. code, to create trusted applets for downloading over the Internet, and to convert the Java JKS key-store to P12/Microsoft PFX (Personal Information Exchange) format to share the same certificate with Java JAR files and Microsoft CAB files.
This allows software authors to increase the range of activities the Java Security Manager will permit.
| << Generate a Certificate Signing Request | Import Thawte Certificate to Sun Java JKS Key-store | Convert Sun Java JKS Keystore to Microsoft PFX format >> |
|---|
Once the certificate has been issued you can download it. To do that click on the Generic X509 Type link to the left of the issued status. The link isn't obvious because Thawte haven't allowed the browser to underline it.
You'll see a Certificate Summary. If you're happy then press the fetch button.
Depending on your browser the downloaded file may be displayed in another application. It is pure text and you can see here that Firefox is displaying the text file.
Save this text by choosing File menu, Save Page As... and calling the file CodeSigning-Thawte.txt
You should see the file in the CodeSigning folder. Make sure its there and you can open and see its contents before you close the browser window!
Open CodeSigning-Thawte.txt in Notepad by double-clicking the file. If you scan down the entire file you'll discover the certificate is provided in two formats, Netscape Cert Sequence and 'degenerate' PKCS7 SignedDate. We only want the PKCS7 format certificate.
Delete everything but the PKCS7 certificate. Make sure to keep the BEGIN and END tags and everything in-between. Don't edit the certificate or reformat the data, or it will be unusable.
-----BEGIN PKCS #7 SIGNED DATA-----
through to
-----END PKCS #7 SIGNED DATA-----
Save the edited certificate under a new filename by choosing File menu, Save As... and calling the new file CodeSigning-PKCS7.txt.
To make things easier (and save me having to redo this part of the guide!) copy the thawtecleaner.jar tool from the KeyTool folder to the CodeSigning folder.
The 'degenerate' PKCS7 format certificate from Thawte will not import into the Java key-store using keytool.exe without first being 'cleaned' up. To clean it use the following command:
java -jar thawtecleaner.jar CodeSigning-PKCS7.txt
thawtecleaner.jar will create a new, cleaned, version of the certificate suitable for importing into the Java key-store. The new file has the extension .clean added.
At last we're ready to import the certificate into the Java key-store.
keytool -import -trustcacerts -keystore CodeSigning.jks -alias CodeSigning -file CodeSigning-PKCS7.txt.clean
The key can now be used by jarsigner.exe to sign JAR files.
| << Generate a Certificate Signing Request | Import Thawte Certificate to Sun Java JKS Key-store | Convert Sun Java JKS Keystore to Microsoft PFX format >> |
|---|
If you have any comments or simply find this guide a useful time-saver I'd welcome hearing from you. You can email me at codesigning@tjworld.net.
© Copyright 2004, 2005 TJ. You are welcome to link directly to this article and make a non-public personal copy (not redistributed or republished). The article must remain in XHTML form (mustn't be converted to proprietary formats such as PDF or DOC). If you would like to include it in a commercial service (e.g. a subscription or advertiser-supported web site) please ask.