So, you are trying to run an applet or a java web start application delivered over the browser. Your applet/application needs to perform some privileged operation such as reading local resources or writing to a file. The jvm sandbox security wouldn’t allow you to perform these operations. In order to do this, your applet/application jar needs to be signed by a certificate from a Certifying Authority (CA). You can get away with a self signed certificate except that it would generate a warning when the jar is downloaded by the client. Not a big deal at all to have a warning show up when we are developing/testing. It is when we are officially distributing the software do we need to care about using an authentic certificate from a Certifying Authority. If you are wondering how to go about generating your own certificate and how to sign the jar, please read on for solution.
Jdk comes with a couple of tools that help us generate a certificate and also sign the jar. The tools we would use for this purpose are:
- keytool
- jarsigner
The steps to complete the certificate generation and signing are:
- Use keytool to generate the certificate and the keystore
- Use jarsigner to sign the jar
Open a cmd window and type keytool -help to see the options available. We would use the -genkeypair option. Please bear in mind that this was -genkey with older versions of java. The options for -genkeypair are:
|
1 2 3 4 5 |
-genkeypair [-v] [-protected] [-alias ] [-keyalg ] [-keysize ] [-sigalg ] [-dname ] [-validity ] [-keypass ] [-keystore ] [-storepass ] [-storetype ] [-providername ] [-providerclass [-providerarg ]] ... [-providerpath ] |
Below is an example usage:
|
1 2 3 4 5 |
keytool -genkeypair -dname "cn=Sachin Tendulkar, ou=Techtips, o=SevenMountz, c=US" -alias selfsigned -keypass welcome -keystore selfsignedstore.jks -storepass welcome -validity 360 |
In above command we are asking for a keystore named “selfsignedstore.jks” to be created in the current working directory and assign it a password of “welcome”. The command generates a public/private key pair for the entity whose “distinguished name” has a common name of “Sachin Tendulkar”, organizational unit of “Techtips”, organization of “TheNerdyDeveloper” and two letter country code of “US”. It uses the default “DSA” algorithm to create the keys, both 1024 bits long.
It also creates a self-signed certificate (using the default “SHA1withDSA” signature algorithm) that includes the public key and the distinguished name information. This certificate will be valid for 360 days, and is associated with the private key in a keystore entry referred to by the alias “selfsigned”. The private key is assigned the password “welcome”.
The command could be significantly shorter if option defaults were accepted. As a matter of fact, no options are required; defaults are used for unspecified options that have default values, and you are prompted for any required values. Thus, you could simply have the following:
|
1 2 3 4 5 |
keytool -genkey |
In this case, a keystore entry with alias “mykey” is created, with a newly-generated key pair and a certificate that is valid for 90 days. This entry is placed in the keystore named “.keystore” in your home directory. (The keystore is created if it doesn’t already exist.) You will be prompted for the distinguished name information, the keystore password, and the private key password.
You should be able to see a file named selfsignedstore.jks in your folder.
Now that you have generated the certificate, the next step is to sign your jar. Ensure the keystore selfsignedkeystore.jks and the jar to be signed are in the same folder from which you are executing jarsigner. If they are not in the same folder, then copy them over to the same folder. Then execute the below command to sign the jar:
|
1 2 3 4 5 |
jarsigner -keystore selfsignedstore.jks myapplication.jar selfsigned |
Once the command completes, you jar is signed. You can verify the modify timestamp on the jar to ensure that it is infact signed. If you open the jar with winzip or 7zip, you should be able to navigate to the META-INF folder. In this folder you should be able to see couple of files with name “SELFSIGN.DSA” and SELFSIGN.SF. This confirms that the jar is infact signed. Your jar is now ready to go!
There are occassions when even after signing the jar you keep running into access denied exceptions. If this happens, it is because the old unsigned jar is still not cleared out of the java cache. Go to the control panel and click java. In the java control panel “General” tab under “Temporary Internet Files” click on view. You would see a list of jar files cached in here. Select all and delete these. Then close the control panel. Close all your browsers. Sometimes you may need to restart your system. Then retry the applet/application now. It should display a warning about unsigned certificate. On accepting the warning, you should be able to run the application without an issue.
Good luck.