Topic - (1) Using keytool to generate a public-private key pair. The first step in configuring a VT Display session for SSH client authentication using a public key is to use the keytool program to generate a public-private key pair. Keytool is a multipurpose utility program, included in the Java 2 Version 1.4 JRE and distributed with Host On-Demand, for managing keys. Java Keytool Tutorial Step 1: Create JKS File using Java KeyTool To crate a keystore in JKS format, we will use keytool with genkey options as below where we specify alias, algorithm to be used and also name of the keystore file along with its location where it needs to be saved.
Java Code Signing JKS Method - Certificate Generation and Installation
Keytool -list -v -keystore keystore.jks. If you are generating this for ThinkFree Office there is one more step. Go to the System tab Https Certification. Next to KeyStore (JKS) File click Browse and select the keystore.jks file we just created.
Article Purpose: This article provides step-by-step instructions on how to in generate and install a certificate for Java Code Signing. If this is not the solution you are looking for, please search for your solution in the search bar above.
Note: This guide is for reissues of Code Signing orders placed before February 1, 2017. For new or renewal orders placed after February 1, 2017, please view the token-based guide found here.
Convert Pfx To Jks Keytool
Instructions
Once you have received the email with the subject 'Certificate Download Ready - ORDERID: Code Signing For Sun Java Certificate for Company Name' you will be asked for a Certificate Signing Request (CSR). Using keytool, you will need to generate a new keystore.
How To Create Jks Keystore
- To generate a new keystore use the following command as an example:
keytool -genkey -alias codesigningcert -keyalg RSA -keysize 2048 -keystore globalsign.jks - You will then be asked for the following details:
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Your Company Name
What is the name of your organizational unit?
[Unknown]: Department
What is the name of your organization?
[Unknown]: Company Name
What is the name of your City or Locality?
[Unknown]: City
What is the name of your State or Province?
[Unknown]: State/County
What is the two-letter country code for this unit?
[Unknown]: Country
Is CN=Your Company Name, OU=Department, O=Company Name, L=City, ST=County, C=Country correct?
[no]: yes
Enter key password for codesigningcert
(RETURN if same as keystore password): - You have now created the keystore with the relevant key and certificate information you need to create a CSR. This can be done with the following command. Note: Ensure you specify the alias for the key.
keytool -certreq -alias codesigningcert -file codesigningcert.csr -keystore globalsign.jks
Enter keystore password: - The CSR has now been generated. Open the CSR with Notepad, or any text editing software, and paste it on the pick up page that you received via email.
- On the last page you will be presented with 2 downloads. Click to Download both.
It is recommended to download the GlobalSign Root CA certificate which can be obtained from the Root Certificate Support Article. Please note that the Root certificate required will vary depending on the hashing algorithm of your certificate, if you have a SHA-1 certificate you will need the Root-R1.crt If you have a SHA-256 certificate (Issued 03/31/2014 & After) you will need the Root-R3.crt. - You will now have three downloaded files. The next step is to import these using keytool. Use the following commands (bold text):
keytool -import -v -trustcacerts -alias root -file Root-R1.crt -keystore globalsign.jks
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias globalsignca
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore
[Storing globalsign.jks]
keytool -import -v -trustcacerts -alias intermediate -file intermediate1.cer -keystore globalsign.jks
Enter keystore password:
Certificate was added to keystore
[Storing globalsign.jks]
It is very important when importing your certificate, that you specify the same alias as the private key, otherwise you will get 'Certificate added to keystore' instead of the following:
keytool -import -trustcacerts -alias codesigningcert -file OS2013********.cer -keystore globalsign.jks
Enter keystore password:
Certificate reply was installed in keystore
You have successfully imported the required certificates. You are now ready to start signing your Java applets. There are a few methods of signing, either using the GlobalSign Code Signing Tool or directly with the jarsigner as shown below:
| Hierarchy | Command |
| R3 | jarsigner -keystore globalsign.jks -tsa http://timestamp.globalsign.com/tsa/advanced codesigner.jar 'codesigningcert' |
| R6 | jarsigner -keystore globalsign.jks -tsa http://timestamp.globalsign.com/tsa/r6advanced1 codesigner.jar 'codesigningcert' |
Keytool Create Jks
You will have successfully signed your java application including a timestamp. If you experience issues please run the above command again but include -verbose within the command to see any errors. You can also verify whether you have signed your file using the following command:
jarsigner -verify codesigner.jar
jar verified.
Additional Resources:
Java Development Kit: http://www.oracle.com/technetwork/java/javase/downloads/index.html