The code signing certificates Sun uses are usually X.509/DER binary format, with the extension *.cer. Sometimes they are in X.509/DER BASE64 encoded printable ASCII (American Standard Code for Information Interchange) format, also with the extension *.cer. These certificates don’t contain the private key. When certificates are stored in .keystore certificate collections, they do contain the private key.
|Files||Other Useful keytool Commands|
|KeyStore formats||Exporting Private Keys|
|Generating a Real Certificate||Passwords|
|Generating a Phony Certificate||Backups|
|Creating .keystore||Learning More|
|Updating Root Certificates||Links|
J:\Program Files\java\jdk1.8.0_20\ jre\lib\security\cacerts. contains your authority certificates. Each certificate contains only a public key. There is only one cacerts. file. It comes preloaded with the JRE/JDK with root signing authority certificates from Verisign and Thawte. It comes by default with password changeit (changeme on the Mac).
Make a backup of your .keystore file. See the .keystore entry for where to find it. These have a habit of mysteriously corrupting themselves. If you lose it, you lose your private key, and your certificate will become worthless.
For a fee, Thawte will sign your certificate request with their private key and send it back to you in either X.509/DER or preferably the more advanced PKCS (Public-Key Cryptography Standards) #7 format which includes certificate chains. You then import that certificate into your .keystore file and you can then use it for signing your code. To import
REM import purchased code-signing cert into cacerts REM Prior to Java 1.6 use -import instead of -importcert keytool -importcert -alias pluginsigner -trustcacerts -file cert.cer REM import purchased code-signing cert into the user directory .keystore keytool -importcert -alias pluginsigner -file cert.cerYou don’t import it into your cacerts.. This a code-signing certificate, not an authority certificate. The root Thawte certificate that comes preloaded in your cacerts. file is your authority certificate.
Note, you never tell the certificate authority your private key. The certificate request and the certificate they send back do not contain the private key and hence are useless to anyone who does not have access to your private key.
Since your clients have never heard of your miniature signing authority, you might try loading the phonycert.p7b into each browser who will use your code as if it were a signing authority. Even after you do that, your code still won’t work because Sun Plug-in looks in the policy. and .keystore files on each client machine to decide if it will let code run. You must update all those client .keystore files with your cert so they would work too.
// accessing a keystore in Java KeyStore ks = KeyStore.getInstance( "JCEKS", "SunJCE" );
Here are places to look for your cacerts. files:
C:\Program Files\java\jre1.8.0_20\ lib\security\cacerts.
C:\Program Files (x86)\java\jre1.8.0_20\ lib\security\cacerts.
J:\Program Files (x86)\JetBrains\IntelliJ IDEA 13.1\jre\jre\lib\security\cacerts.
If you screw up, you can start over by deleting your .keystore file, or by deleting the offending entries. Make sure you never delete the private key for one of your paid certificates though!
You can tell if a certificate includes a private key by the way keytool lists it. Signing certificates with private keys will be marked keyEntry. Authority certificates without private keys will be marked trustedCertEntry.
Keytool, however will not tell you if a certificate is DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir and Adelman) and how many bits it is. You can determine that with IBM (International Business Machines) ’s keyman. It is best then to choose names of aliases and certificate files e.g. mindprod2006dsa.cer that will help you remember.
Keytool will generate a private key, but won’t import or export one. This is why you can’t easily convert a Sun code signing certificate to a Netscape code signing certificate or vice versa. Mitch Gallant has found a way around this that uses the BouncyCastle classes, but it is no longer available.
You must plan ahead and generate your private key in the .keystore where you want to it to finally reside. People not understanding the process so often lose the original private key, or find they can’t move it to where it is needed. This applies even more so to SSL (Secure Sockets Layer) certificates.
Understand the process!
There are also optional additional password protections on each individual item in the store. Passwords are case-sensitive and must be at least 6 letters long. Best to include some digits to make them harder to guess. Putting punctuation in them will make it difficult to use them on the command line.
This page is posted
Optional Replicator mirror
Your face IP:[220.127.116.11]
You are visitor number|