OpenSSL is a very handy tool that can be used to generate Code Signing certificate for any application. The software is distributed under open source license (Apache Style) and any certificate generated using it can be distributed /used for production purpose.
I recently used it to generate a pkcs12 type certificate to sign the applet jar files in one of my applications which saved us from the new security warnings that JAVA 7 brings along for Applet/JNLP based applications.
Here are the steps I followed to generate the certificate –
- Download Win32OpenSSL_Light-1_0_1e from OPENSSL
- It Requires Microsoft vc++ to function, please accept the default location to download the same (in case it is not available on your machine).
- From command prompt move to the location where OpenSSL is installed i.e. C:\OpenSSL-Win32\bin
- Execute commands enlisted below –
- Here is a sample command for signing jars by replacing appropriate values –
1) openssl.exe req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout "C:\companyName\openssl\productName.key" -out “C:\companyName\openssl\certificate.crtopen”
2) openssl.exe pkcs12 -export -inkey "C:\companyName\openssl\productName.key" -in "C:\companyName\openssl\certificate.crtopen" -name erl -out "C:\companyName\openssl\companyName.p12"
The .p12 file is the code signing certificate.
jarsigner -verbose -keystore companyName.p12 -storepass password -storetype pkcs12 “<jarname>”.jar “alias”
Since I generate my code signing certificate using OpenSSL, which is not a standard CA, its certificate will not be trusted and you may still notice the same set of warning messages even after signing your jars using this certificate. To overcome this, this .p12 file manually needs to be imported into the Signer CA certificates of the JVM installed on your machine. Steps to accomplish the same are –
- Go to control panel -> java -> security -> manage certificates
- Import certificate generated by open SSL under user tab in Signer CA certificates
analyzejava 