Code Signing Help

Java Code Signing

In order to create your Java code-signing CSR, make sure that the Java Development Kit (JDK) is installed on your server or local computer.

Protect your new private key for a Code-Signing certificate

Your private key represents your organization’s identity! Code signed with your private key can be traced back to your organization.

  1. Create and protect your code-signing private key with cryptographic hardware products or on an isolated machine. SecureTrust™ requires that private keys for code-signing be created and stored in one of the following:
    1. A Trusted Platform Module (TPM) that generates and secures a key pair and that can document the subscriber's private key protection through a TPM key attestation.
    2. A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent
    3. Another type of hardware storage token with a unit design form factor of SD Card or USB token (not necessarily certified as conformant with FIPS 140 Level 2 or Common Criteria EAL 4+). In this case, the token must be kept physically separate from the device that hosts the code signing function until a signing session is begun.
    SecureTrust encourages method 1 and 2 above and discourages method 3 above because, while the SD Card or USB token is connected to the signing device, it is possible for the signing private key to be copied from the device. A TPM or hardware crypto module eliminates that possibility.
  2. Always use passwords that are randomly generated with at least 16 characters containing uppercase letters, lowercase letters, numbers, and symbols to protect your private key.
  3. Limit the number of employees who are allowed to use your private key for signing code.
  4. Always time stamp your code so that it can be verified after a certificate has expired or has been revoked.
  5. Use two different signing certificates: one for test signing and the other for release signing. Use the test-signing certificate for signing code of a pre-release build of your software. The test-signing certificate must chain to a completely different root certificate and only be trusted in your test environment by adding it to your certificate store.
  6. Protect the new code that you will sign with the private key. Use code management systems that have strong authentication and audit logging capabilities. Always scan code for viruses before signing it.
  7. Protect against conflicts that occur when you revoke a compromised certificate by using keys and certificates for short durations. Change them often.

Configure the PKCS#11 provider in Java

In order to generate your CSR using your cryptographic device with Java, you'll need to configure the PKCS#11 provider. The specific steps vary depending on the device, but generally, the procedure includes the following steps:

  1. Edit the Java security properties file at $JAVA_HOME/lib/security/ to add the SunPKCS11 provider ( /path/to/config/file)
  2. Create a configuration file in attribute = value format with at least 2 attributes: name, with a friendly name for your device, and library, with the path to the driver library file for your device.

More detailed instructions are available from Oracle in the JDK 8 PKCS#11 Reference Guide

Create your private key

In the directory that has access to the keytool command, you will need to run the following instruction: (SecureTrust requires a minimum of 3072 bits for keysize.)

Certificate Information Guidelines

Location - Enter the location where your business operates. If you are an international customer in a country without a State/Province or City/Locality, leave those fields blank.

  • Country Name - Enter the two letter International Organization for Standardization (ISO) abbreviation of the country where your organization is legally located.
  • State/Province - Spell out the entire name of your state or province. For example, if your business operates in Texas, enter "Texas" and not "TX".
  • City/Locality - Spell out the entire name of your city or locality.

Organization - Enter the full, unabbreviated legal name of your business. Include any applicable suffix, such as "Inc" or "LLC". If your company name is registered in an abbreviated form, then you may use that abbreviation if you want.

Organizational Unit - This field will not be included in your certificate, so you can leave it blank.

Common Name - Enter the same value as you entered for your Organization.

Email Address - Enter the address of the person responsible for code signing in your organization. This field is optional.

Generate your CSR

You can generate your CSR from the private key that you have created with the following command:

This command creates a CSR (server.csr) from your private key.

Submit the CSR to SecureTrust

Now navigate to the location of your saved CSR and open it with a suitable text editor such as Notepad, TextEdit, or vi. Copy the entire text - including the top and bottom dashed lines. You can paste this text directly into the SecureTrust Control Center - Submit your CSR to proceed to validation.