Platinum Edition Using HTML 4, XML, and Java 1.2
(Publisher: Macmillan Computer Publishing)
Author(s): Eric Ladd
ISBN: 078971759x
Publication Date: 11/01/98

---

CAUTION:  

If you default your Distinguished Name, it will prompt you for your state and locality, which are usually unnecessary.

---

-alias refers to a shorter name by which you will know this Distinguished Name. For example, I might write

keytool -genkey -alias Mike Morgan
⇒-dname CN=Michael L Morgan OU=Software Engineering
⇒ORG=DSE Inc C=US
⇒-keypass A password for Platinum Edition

---

CAUTION:  

Don’t enter your passphrases as parameters or embed them in scripts—wait and let the system prompt you for them. When you enter them, keytool will echo the characters. Make sure no one can see you when you type in this information.

---

By default, keytool wraps the public key into a self-signed X.509v1 certificate (but not the newer X.509v3). The two formats (X.509v1 and X.509v3) are similar—most end users who know the difference won’t care whether you’re using v1 or v3, but they may hesitate before accepting a self-signed certificate. If you want an X.509v3 certificate, you’ll have to go to a public Certification Authority such as Verisign or obtain your own Certificate Server.

---

NOTE:  If you’ve worked with JARs in an earlier release of the JDK, you’ll have seen a utility called javakey. That program is now obsolete—stick with keytool and jarsigner.

---

Obtaining a Certificate

After you’ve generated your keypair, you need to generate a Certificate Signing Request, or CSR, and send that CSR to the Certificate Authority (CA) of your choice—either a public CA or your own organization’s CA.

	ON THE WEB
	http://www.verisign.com/ You can learn how to get your keypair certified by Verisign from their Web site. You’ll need to be able to prove to them that you are who you say you are, and you’ll pay a small fee.
	To learn more about the Netscape Certificate Server, visit http://home.netscape.com/comprod/server_central/product/certificate/index.html.

To generate a Certificate Signing Request (CSR), type

keytool -csr

Just as with -genkey, the program will prompt you for any required parameters you omit. You may want to use one or more of the following options:

•  -v—Generate verbose output.

•  -alias alias—Specifies the alias of the key you want to certify. The default is mykey.

•  -sigalg sigalg—The signing algorithm to be used. The default is DSA with SHA1.

•  -file csr_file—The file into which the CSR should be written.

•  -keypass keypass—The passphrase for this key.

•  -keystore keystore—The file where the keys are stored.

•  -storepass storepass—The passphrase of the keystore.

After you’ve generated the CSR, send it to your CA following the instructions they’ll give you. (CAs generally accept CSRs by email, although some prefer that you copy the CSR and paste it into an HTML form.) After the CA follows its certificate-signing policy to verify your identify (and, in the case of a commercial CA, after they’ve received payment), they’ll issue you a certificate. This certificate may come by email, or you may be sent to pick it up at a Web page. Either way, get it into a file by itself and type

keytool -import

	If your certificate comes by email, mail headers and footers may be on the message. The part of the message you want to copy into a file is the part bounded by “--BEGIN CERTIFICATE--” and “--END CERTIFICATE--.”

Some other parameters for the import option that you may find useful are

•  -v—To get a verbose output

•  -alias alias—The common name of the person associated with this certificate

•  -file cert_file—The name of the file where the certificate is stored

---

CAUTION:  

Do not use the -noprompt option of keytool. Require the keytool to show you the certificate—satisfy yourself that it’s not a forgery. You can call the CA and read them the certificate’s message digest (it’s called the fingerprint) if you want to be sure.

---

	Your CA will probably send you a copy of their certificate so you can verify the signature on your certificate. Install their certificate too, but first, doublecheck their fingerprint to make sure no one has forged their certificate.

To learn even more about keysigner, point your Web browser to /docs/tooldocs/win32/keytool.html in your JDK directory (on a Windows machine). An analogous directory for Solaris is available should you need to learn about the differences between keytool on Windows and keytool on Solaris.

Distributing Your Certificate

Now that you have a signed certificate, let people know it exists so they can get your public key. They’ll use this key to verify messages and applets from you. You might type

keytool -export -alias mike -file filename

You can also specify a filename in the -file parameter. The utility will copy your certificate to the designated filename. Distribute that certificate to people who might use your signed applet—they should verify your signature on the certificate before they put a strange applet to work on their machines.

Using jarsigner to Sign a JAR File

After you have a public/private keypair and an X.509 certificate that attests to its authenticity, you’re able to digitally sign your JAR files. Sun provides the jarsigner utility for this purpose.

---

NOTE:  The version of jarsigner that is distributed with JDK 1.2 can only sign JAR files that have been built with Sun’s jar utility.

---

In addition to signing JAR files, jarsigner can also verify the integrity of a signed JAR. Just run it with the -verify option.