Convert the Java JKS key-store to Microsoft PFX format

The GNU General Public License version 2 or later applies to my ExportPrvKey.class. See http://www.gnu.org/licenses/gpl.html

Here's how to get and use a code-signing Thawte digital certificate to sign your Java JAR and Microsoft CAB, EXE, DLL, VBscript, etc. code, to create trusted applets for downloading over the Internet, and to convert the Java JKS key-store to P12/Microsoft PFX (Personal Information Exchange) format to share the same certificate with Java JAR files and Microsoft CAB files.

This allows software authors to increase the range of activities the Java Security Manager will permit.

Contents

• Overview
• Download and Install Tools
• Personal Freemail account at Thawte
• Request a Free Test Certificate
• Create a New Java Key/Certificate Pair
• Generate a Certificate Signing Request
• Import Thawte Certificate to Sun Java JKS Key-store
• Convert Sun Java JKS Keystore to Microsoft PFX format
• Import Key & Certificate to Microsoft Key-store
• Sign a Java JAR File
• Sign a Microsoft CAB file
• Observations

Overview

Code-signing has become more important for software authors as their code becomes more sophisticated. They need to provide the user of their software with proof of their identity and hopefully trust-worthiness.

This guide is designed for competent developers who are already familiar with Java software development, and the basics of digital certificates.

In this guide I've shown how you can obtain a single free TEST digital certificate from Thawte that you can use to sign code in JAR and CAB archives, using Sun-Java and Microsoft tools. Note that the certificate issued by Thawte doesn't have the object-signing role and therefore is only useful in development testing.

For real-world applications you'll have to buy a certificate from Thawte, Comodo, GlobalSign, InstantSSL, and others. The costs vary greatly so I recommend shopping around and asking questions. In particular pay attention to the way the company verifies your identify - several of the certificate issuers will only issue code-signing certificates to incorporated businesses, not individuals.

I've written a small Java program called ExportPrvKey.class that will export a private key from a Sun Java JKS key-store, and a DOS batch file JKS2PFX.bat that runs several tools to export, convert, and join a private key and public certificate in one P12 format PFX file.

Aside from the time taken to apply for and receive the digital certificate, using these tools it will take less than five minutes to make a new certificate usable by Java's jarsigner.exe and Microsoft's signcode.exe.

If you have any comments or simply find this guide a useful time-saver I'd welcome hearing from you. You can email me at codesigning@tjworld.net.

© Copyright 2004, 2005 TJ. You are welcome to link directly to this article and make a non-public personal copy (not redistributed or republished). The article must remain in XHTML form (mustn't be converted to proprietary formats such as PDF or DOC). If you would like to include it in a commercial service (e.g. a subscription or advertiser-supported web site) please ask.