Copyright (c) SEMM NL All rights reserved.
Author : Paul Hamaker. Part of JavaLessons.com

In the SDK's bin directory is the program keytool .

We want a certificate with a public/private key pair based on RSA. We now have to answer a couple of questions concerning department, organization, country and then some. These items are needed in a certificate to adhere to the X509 standard.

What has been generated has been stored in a default keystore, with a location that may resemble this.

Go to the directory with the app's class files etc. and zip them all into t.jar . Don't forget the last dot (=current directory)

Then sign the t.jar file. For this, the private key from the keystore is used. After this, the jar file can be verified with the associated public key.

Check the file.

If this is about publishing an applet, you can now test it in a 1.4 plugged browser, if you indicate the signed file to be used in HTML.

A dialog will pop up similar to the picture. This allows you to grant the applet the freedom to go outside its sandbox. If you 'grant Always', the certificate is registered on the Certificates page of the Plug-in Control Panel. Permission will then NOT be asked for future downloaded code, signed with the same certificate.

The code is now allowed to access other hosts via the network, access the file system, show a file dialog, print etc.

Two reasons for the dialog not popping up :

Self-signed certificates are not guaranteed to work, because they can't be verified.

or

The certificate has been registered already on the plug-in Certifcates page.

If you want to sign code for world-wide use, your certificate has to be verifiable by the world. This service is offered by Verisign and Thawte a.o.

To one of these companies you can submit a request and fork over a couple hundreds of dollars.

To generate the request.

What to submit.

The Certificate Authority ( CA ) now sends a chain that has to be stored in a file, say, edp.cert.

Which can then be imported into the keystore, thereby replacing the original, self-signed, entry.

Now code can be signed and thus be verified world-wide to have originated from your company and to be unchanged since signing.

( If there's only a need to sign code for a company's Intranet, it's an option to run an own certificate server, to be your own CA. )

=============

IMPORTANT :

BE SURE TO KEEP THE KEYSTORE PERFECTLY SAFE, FOR IT CONTAINS THE PRIVATE KEYS USED FOR SIGNING. THESE HAVE TO REMAIN ABSOLUTELY SECRET.

==========

The 1.4 browser plugin automates importing the certificate containing the signer's public key. If you're dealing with regular applications that are not run by a browser plugin, you need to export a public key certificate first.

Copy the file to a client station and then import it into the client's own keystore.

== NOTE ======

To remove an entry from the keystore.

.