Convert the Java JKS key-store to Microsoft PFX format

Copyright © 2004, 2005 TJ

The GNU General Public License version 2 or later applies to my ExportPrvKey.class. See http://www.gnu.org/licenses/gpl.html

Here's how to get and use a code-signing Thawte digital certificate to sign your Java JAR and Microsoft CAB, EXE, DLL, VBscript, etc. code, to create trusted applets for downloading over the Internet, and to convert the Java JKS key-store to P12/Microsoft PFX (Personal Information Exchange) format to share the same certificate with Java JAR files and Microsoft CAB files.

This allows software authors to increase the range of activities the Java Security Manager will permit.

Contents

• Overview
• Download and Install Tools
• Personal Freemail account at Thawte
• Request a Free Test Certificate
• Create a New Java Key/Certificate Pair
• Generate a Certificate Signing Request
• Import Thawte Certificate to Sun Java JKS Key-store
• Convert Sun Java JKS Keystore to Microsoft PFX format
• Import Key & Certificate to Microsoft Key-store
• Sign a Java JAR File
• Sign a Microsoft CAB file
• Observations

Request a Free Test Certificate

Now you've decided which email address to use, choose the certificates manager.

Choose request a certificate.

Choose Developers of New Security Applications ONLY and press the test button.

Choose Paste-in CSR Certificate Enrollment and press the test button.

Choose Employment Information if applicable, then press the test button.

Select the email address you want to include in the certificate, then press the next button.

Read the blurb but in most cases you won't be certified as a member of any Extranets, so just press the next button.

Choose Accept Default Extensions by pressing the accept button.

Thawte is now waiting for you to generate a Certificate Signing Request. The certificate MUST use the common name issued by Thawte, which is unique for every certificate requested. Thawte shows the common name you must use when creating the new digital certificate in point 2 of the dialog above. Here's mine in high-lighted close-up; remember that yours will be different:

If you were applying for a real code-signing certificate Thawte would request a valid domain name as the common name. In my case that would be tjworld.net, for example.

If you have any comments or simply find this guide a useful time-saver I'd welcome hearing from you. You can email me at codesigning@tjworld.net.

© Copyright 2004, 2005 TJ. You are welcome to link directly to this article and make a non-public personal copy (not redistributed or republished). The article must remain in XHTML form (mustn't be converted to proprietary formats such as PDF or DOC). If you would like to include it in a commercial service (e.g. a subscription or advertiser-supported web site) please ask.