Code Signing: Understanding and Performing Certification Signing Request
Created: 25 January 2019 Modified:
Goal
The goal is to get a Code Signing certificate to sign legacy Java Applets. Current signatures are based on expired code signing certificate. Code Signing works by signing your code with a private key which can then be verified using a public key. Private keys are secret and public keys are not.
Process Overview
Using the Java utility “keytool” we generate a Certificate Signing Request (CSR). A CSR is a text file you provide to a Certificate Authority (CA) that contains a public key and other information. There is also a private key that is stored in the “.keystore” file located on the server/workstation where you generated the CSR. CAs are organizations that provide your public keys to others. They do this by signing your public key with their private key. They then give out their public key to responsible parties. These responsible parties in practice turn out to be those who make your browsers. Organizations like Microsoft, Google and Firefox.
Walk Through
Using the “keytool” provided by the Java JDK we generate a CSR. This command will store the information into your default keystore. It is possible to specify a different keystore. My default keystore was /home/chris/.keystore.
terminal on Linux workstation
Now we print out the CSR so that we can go to the CA website and place our request.
terminal on Linux workstation
Placing the request using a secure browser connection you would cut and past the certificate including the starting and ending lines with the hypens. We were provided two options when placing the request. “SHA256 with root SHA1” and “SHA256 with root SHA256”. This means do you want your CA to sign your key with SHA1 or SHA2. SHA1 is no longer considered secure enough. Strangely enough SHA1 was still the recommended option. I guess that it is still the most widely supported. We chose the second option. Once you place your request the CA will verify who you are and if you are allowed to place the request. This process can be quite involved for government agencies.
One you are verified, they will provide you a certificate to import into your local keystore. I trusted my CA so I answered yes to the “not trusted” question.