| Steps for Signing an applet |
|
Requirements: A suitable version of the Java2 SDK [Windows / Linux / Solaris SPARC] will be required. The latest version can be downloaded from http://www.javasoft.com/j2se/1.3 The keytool, jar and jarsigner tools from the SDK will be used in the code signing process. Steps Involved: 1. Generating the public/private key pair From the bin directory of the jdk installation, invoke the keytool to generate the key pair as follows: /usr/jdk1.3/bin/keytool -genkey -keyalg rsa -alias <keyalias> where /usr/jdk1.3 should be modified to point to the actual jdk1.3 installation directory. If this is the first time, the tool is being run, the user will be asked to enter a new password for the keystore being created. The password must be atleast 6 characters in length. Also, please note that while using the keytool, any password that will be entered won't be masked and will be visible on screen as typed. So care should be taken that this is done privately. After entering the password, the user will start entering the corporate information. He'll be asked to provide: � His first and last name � Name of the organizational unit � Name of the organization � Name of the City / Locality � Name of the State / Province � Two-letter country code for the organizational unit After entering the above information, the user will be shown the same and he has to confirm them. Then a password will be entered for the key-pair being generated. The key-pair is now generated and stored in a file named ".keystore" in the home directory of the user, which will be something like /usr/usr1 The same can be verified by typing the following command: /usr/jdk1.3/bin/keytool -list The key-pairs available within the keystore, including the one generated above will be listed. 2. Generating the Code Signing Digital ID Signing Request (CSR) The CSR for the key-pair generated above can be created using the following command: /usr/jdk1.3/bin/keytool -certreq -alias <keyalias> After prompting the user for the keystore password, the request generated will look something like this: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBrzCCARgCAQAwbzEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UE BxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjETMBEGA1UEAxMK Rmlyc3QgTGFzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs0CivezFXANUITWBlMl7uEKF y6h96cWJjQZcSd0UAVdxmf2ZG6Aw8xt5PTkFdIiAw8h1dFdJc/9lv+IQknHxA8jEXCmShPB1upcY +EwjzYx1jHKhmja2+xfW+5SNSf19kAAULMYeND1yScf72Je4XXR3xy/kMaJzpAfPZWrT/UUCAwEA AaAAMA0GCSqGSIb3DQEBBAUAA4GBADcXONNuWqTCm5xTmSkCxg2Ck0t2cMfyvYbZpBrWCFeoQPg2 oA4C4T3tA6hb/caDalQUuKHmcq7GGF8Y4G/VEdooltIkT30+eV1Vtig2YABAY17xIdAGkXJAZXM6 8b7f1ek247vkIRGvVFHHLB3KfRjda0nHmWVCtXUgaO3yy/Wu -----END NEW CERTIFICATE REQUEST----- The above text excluding the first and last lines will be copied as it is [shown in a different color] and pasted in the online application form of the Verisign site. 3. Applying for the Digital ID at Verisign The online application process is initiated by going to the following url: http://www.verisign.com/products/signing/index.html "Sun Java Signing Digital ID" is chosen as the product type and the "buynow" link for the CodeSigner Standard package is clicked. The CSR is pasted here and providing other information likes contacts, payment mode, etc completes the application process. 4. Importing the Digital ID Once the signing id is received from Verisign along with the confirmation email, the same needs to be imported into the local keystore with the following command. /usr/jdk1.3/bin/keytool -import -alias <keyalias> -file <filename.cer> 5. Signing the applet The applet code is then bundled into a jar file. The jar file is signed using the following command: /usr/jdk1.3/bin/jarsigner <usr/home/jars/UserFTP.jar> <keyalias> The signing process is verified by issuing the following command: /usr/jdk1.3/bin/jarsigner -verify -verbose -certs /usr/home/jars/UserFTP.jar When the signed JAR file is downloaded, the Java Runtime Environment will display the Digital ID to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option of refusing the installation. |
| Back |