Signing Applet Jar using signed certificates
As per new security policy Applet needs to be signed with trusted certificates
As per oracle documentation
Java Applet & Web Start - Code Signing –> Starting with Java SE 7 Update 21 in April 2013 all Java Applets and Web Start Applications are encouraged to be signed with a trusted certificate. And starting with 7u25, all files must be added to JARs prior to signing.
This post provides step by step guide for signing applet jar
Step by step guide
Consider the path of applet as website/applet/ourapplet.jar
-
Create the pkcs12 using openssl file for server certificate and key as keytool don’t have any functionality to import key directly
openssl pkcs12 -export -in server.crt -inkey server.key \ -out server.p12 -name some-alias \ -CAfile ca.crt -caname root
For example
openssl pkcs12 -export -in Documents/signedcert.com.crt -inkey Documents/key/signedcert.com.key -out Documents/signing_sandbox/cert.com.p12 -name signed-cert -CAfile Documents/signing_sandbox/bundle-g2.crt -caname GoDaddy -chain -passout pass:<OPEN_SSL_PASSWORD>
Please note you need to enter the password for openssl file otherwise it will give some error while importing
-
Now import the generated file cert.com.p12 to keystore using keytool
keytool -importkeystore -deststorepass <KEYTOOL_PASSWORD> -destkeypass <KEYTOOL_PASSWORD> -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password -alias some-alias
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /root/signing_sandbox/keystore.jks -srckeystore Documents/signing_sandbox/cert.com.p12 -srcstoretype PKCS12 -srcstorepass <OPEN_SSL_PASSWORD> -alias server-cert
-
Now sign the jar with keystore generated using jarsigner
jarsigner -keystore /root/signing_sandbox/keystore.jks website/appletcode/ourapplet.jar server-cert
It will ask for keystore password, enter the keystore password you entered in step 2 KEYTOOL_PASSWORD
-
You can verify the jar is signed by using
jarsigner -verify -keystore /root/signing_sandbox/keystore.jks website/appletcode/ourapplet.jar