Il est tres important de suivre les instructions principales à la lettre pres. Celle données par les autres sites ou celle données par d autre doc verisign sont partielles et ne traite pas toujours du bon cas qui est ici la certification par une autorite de certification d un applet java.
L utilisation de Openssl n est pas nescessaire car la command keytool avec le JDK 1.5 est suffisante.
Tres important. Ce n'est jamais precisé mais il semble impossible d utiliser la reponse verisign sur une autre machine que celle ayant genere la requete (le .csr), meme en utilisant les memes data pour re generer la clef (je pense que cela vient de l algo MD5 utilise en interne).
Dans le pire des cas faire un backup tres serieux du keystore du "csr" sinon il sera impossible de reutiliser le certificat car il manquera la clef prive le certificat fournissant la clef publique.
Voici le process pas a pas pour
1 faire la requete d un nouveau certificat, ".csr"
2 traiter le fichier renvoyer par Verisign.
3 pour la partie Bundle Applet into a JAR File cette partie est scripte par ANT avec signjar et le keystore
Instruction PRINCIPALE (source Verisign) :
Sun Java Signing
VeriSign provides the following instructions to help you get started. If you need more information, contact your browser or OS platform vendor directly.
Step by Step Overview
Step 1: Download Signing Tools
If you have not already done so, download the Java 2 Software Development Kit (SDK). The latest version is available free of charge for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms from
http://java.sun.com/j2se/.
You will be using the keytool, jar, and jarsigner to apply for your Code Signing Digital ID and sign your code.
Step 2: Enrollment >>
Create a Keystore
To generate a public/private key pair, enter the following command, specifying a name for your keystore and an alias as well.
C:\jdk1.3\bin\keytool -genkey -keyalg rsa -keystore <keystore_filename> -alias <alias_name>
Keytool prompts you to enter a password for your keystore, your name, organization, and address. The public/private key pair generated by keytool is saved to your keystore and will be used to sign Java Applets and applications. This key is never sent to VeriSign and is required to sign code. VeriSign encourages you to make a copy of the public/private key pair and store it in a safe deposit box or other secure location. If the key is lost or stolen, contact VeriSign immediately to have it revoked.
Generate a CSR
You need to generate a Certificate Signing Request (CSR) for the enrollment process.
1. The following command requests Keytool to create a CSR for the key pair in the keystore:
C:\jdk1.3\bin\keytool –certreq –file certreq.csr –keystore <keystore_filename> -alias <alias_name>
2. Begin the enrollment process for a Code Signing ID from the products and services section of the VeriSign Web site.
3. Copy the contents of the CSR and paste them directly into the VeriSign enrollment form. Open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
To begin the enrollment process for a Code Signing ID you can go to the VeriSign Product pages.
Step 3: Begin Using
Import Digital ID
Once VeriSign has verified your identity, we will send a confirmation e-mail with your Sun Java Code Signing Digital ID attached. Upon receipt, the attached Code Signing Digital ID is saved to a file on your computer. A Code Signing Digital ID is a "trust path" or "chain" back to the VeriSign root certificate. This "trust path" allows your code to be validated on any standard JRE without installing any additional files.
To import your Sun Java Signing Code Signing Digital ID into your keystore, enter the following code with the path correct name for your file (for example, “cert.cer”) to your Code Signing Digital ID.
C:\jdk1.3\bin\keytool –import –trustcacerts –keystore <keystore_filename> -alias <alias_name> -file cert.cer
Bundle Applet into a JAR File
Use jar to bundle your Applets or applications as a JAR file. This string creates a JAR file C:\TestApplet.jar. The JAR file contains all the files under the current directory and its sub-directories.
C:\jdk1.3\bin\jar cvf C:\TestApplet.jar
Jar responds:
added manifest
adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%)
adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)
Sign Your Applet
1. Use jarsigner to sign the JAR file with the private key you saved in your keystore.
C:\jdk1.3\bin\jarsigner C:\TestApplet.jar MyCert
2. At the prompt, enter the password to your keystore.
3. Jarsigner hashes your Applet or application and stores the hash in the JAR file created in step 5 with a copy of your Code Signing Digital ID.
4. Verify the output of your signed JAR file.
C:\jdk1.3\bin\jarsigner -verify -verbose -certs d:\TestApplet.jar
When the signed JAR file is downloaded, the Java Runtime Environment will display your Digital ID to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option to refuse installation.
Partager