Home » Software Security Blog » How to Sign Java Files using Code Signing Certificates
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

How to Set Up and Install a Java Code Signing Certificate

In Java, the process of setting up and installing a Java Code Signing Certificate is mostly the same as with an SSL Certificate but with a few minor differences. Here, firstly you have to create a Java keystore along with your CSR (Certificate Signing Request) and then the process of installation begins.

Java CSR Creation & Code Signing Certificate Installation Process

Before you begin with any process, be sure that JDK (Java Development Kit) is installed properly on your local computer or server. Once you create the CSR, be sure to keep track of yuor keystore file as it contains the private key. Additionally, the keystore file is also used to install your Code Signing Certificate.


If you’re using the below-mentioned instructions from a Windows Server, use the command prompt and be sure that the JDK bin folder is there in your Path environment,

C:\Program Files\Java\jdk1.7.0_02\bin

Moreover, you can use the JDK bin folder to run the keytool directly. Be sure to keep your newly created keystore and CSR files securely.

Step-by-step Guide to Create a Java Keystore File & CSR:

Step:1 For creating a keystore and key, at the command prompt run this command

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore Examplekeystore.jks

Step:2 Enter the requested information, as prompted:

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]: Firstname Lastname or YourCompanyName

What is the name of your organizational unit?

[Unknown]: YourDepartment

What is the name of your organization?

[Unknown]: YourCompanyName or Firstname Lastname

What is the name of your City or Locality?

[Unknown]: YourCity

What is the name of your State or Province?

[Unknown]: YourState or YourProvince

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=YourCompanyName or Firstname Lastname, OU=YourDepartment, O=YourCompanyName or Firstname Lastname, L=YourCity, ST=YourState, C=US correct?

[no]: yes

Enter key password for

(RETURN if same as keystore password):

Step:3 Once you complete the above step, a Java keystore file called Examplekeystore.jks will be created.

Step:4 Now, for generating a CSR through keystore, at the command prompt run this command

keytool -certreq -alias server -file csr.csr -keystore Examplekeystore.jks

Enter keystore password:

Note: Keep the same password which you used in Step 2

Step:5 Once you complete the above steps, you will be provided with the private key & a CSR saved in .jks & .csr file format respectively.

Step: 6 Now, when you place your Code Signing Certificate order, open the .csr file using any text editor and copy & paste its contents in the given CSR box on the order form of our website.

Note: Keep your keystore password secure, as you will need it during installation time and whenever you use the certificate for signing code.

Step-by-step Guide to Install Code Signing Certificate

Once you get your approved code signing certificate file, you can begin installing it into the keystore (which you created while creating the CSR.)

Step:1 For installing the certificate, at the command prompt run the following command

keytool -import -trustcacerts -alias server -file YourName.p7b -keystore Examplekeystore.jks

Step: 2 If the above step has gone correctly, you should receive a message saying, “Certificate reply was installed in keystore.”

Step:3 Type y or yes, if you’re asked to trust the certificate.

Step:4 Finally, your code signing certificate is installed and you can proceed to sign code.

Step-by-step Guide to Sign Java .jar Files with Jarsigner

Once you complete the above steps, you can sign and verify the signature on .jar files using Jarsigner.

Step:1 For signing a file, at the command prompt run the following command

arsigner -tsa https://timestamp.<certificate-authority>.com -keystore c:\path\to\your\Examplekeystore.jks -storepass ExamplePassword c:\path\to\your\file.jar ExampleAlias

For the above command, replace ExamplePassword with the actual password you used for generating your keystore and ExampleAlias with the proper alias assigned while generating CSR.

Step:2 If you don’t find any output don’t worry, as it doesn’t provide any information of code being signed successfully./h4>

Step:3 For verifying .jar file was signed successfully, run the below jarsigner -verify command in command prompt

jarsigner -verify -verbose -certs c:\path\to\your\file.jarjarsigner -verify -verbose -certs c:\path\to\your\Examplefile.jar

Step:4 If your code is signed successfully, you will see the following output

s = signature was verified