pjirc.com

[Thema]

Ok this will need a lot of patience so please bear with me.

First you need to obtain some certificates from Thawte. Strangely enough that part is easy. Before you begin you will need to install the latest Sun Java Development kit obtainable from the Sun Download site. It's free. Go get it.

Now all you do is follow these instructions.

I took a good look at the list of certificate authorities known to Web Start and one stuck out: Thawte Freemail. In particular, the word “free”. I chased this down and it is indeed a free (no money) way to get a certificate for code signing.

The steps are simple enough:

Sign up for a "personal email certificate". There are quite a few screens to fill in, but follow the process through up until the point where you're asked to select the X.509 email certificate you want. At that point scroll down to “Developers of New Security Applications ONLY”, follow the link and select "Paste-in CSR Certificate Enrollment". There's quite a bit of clicking from this page to get to the page with a text box that allows you to enter your public key. When you get to the "public key" page you need to generate a key with keytool.

Run the Java keytool utility.

First, generate a RSA key. You'll be asked all sorts of information. The important thing to remember is that your name must be set according to the common name you're told to use on the Thawte web site. It'll be something like XVV6ePaMGHEPJN22. When the keytool prompts you to enter your name, enter this value from Thawte. The other important thing to remember is the password you use when you create a key.

Obviously change your “alias” name and the location of the “keystore” file if you like, but run something like this:

keytool -genkey -keyalg RSA -keystore keystore -alias dallaway


Next, export the key to a text file, which in this example is “csr.txt”:

keytool -certreq -keystore keystore -file csr.txt -alias dallaway

Take the text of “csr.txt” and paste it into the Thawte form and wait. That's your certificate request. Mine took about 20 minutes to process, and I was notified that it was ready by email.

When you download your certificate, it's in two formats: Netscape and PKCS7. You want the save the PKCS7 version in a file called “my.cert” (or similar) and then run:

keytool -import -file my.cert -alias dallaway -trustcacerts -keystore keystore

Thawte have changed their certificate format, causing the above step to fail. I'm hoping this is a temporary situation that Thawte will fix. In the meantime, if the above import command fails, it could be because of Thawte's change to their file format. Nicolas Carranza has kindly supplied some Java source for fixing the Thawte certificate format problems. I've packaged this as a jar to download. Run it like this: java -jar thawtecleaner.jar my.cert and it will create my.cert.clean, which you can then use in the keytool -import command, above.

That's it. You have a certificate that's good for a year, after which it can be renewed

The thawtecleaner.jar file is <Here>

Now you need to obtain an Email Cert for MicroSoft from the same place.
Just follow the same instructions, but choose the MS Email path and allow it to be installed for you.

Microsoft are no longer distributibg their code signing tools.
you might still find versions of them here:
http://www.pantaray.com/signcode.html

When you have all this set up and ready you need to run signcode.exe to sign the cab file, which is pretty self explanatory. Delete the securedirc.cab, and copy the unsigned-securedirc.cab to securedirc.cab and browse for it with the signcode application. Just select the email cert to sign with. Don't worry. It'll be ok. Make sure you write something that your people will recognise in the description. It will make them trust it better.

In order to sign the jar file you will need to open a command window and CD to the folder with the jar in it. I place the jar in the same folder as the utility, but you can always add it to the path I guess. Then you run a command similar to.

Code: Select all

C:\j2sdk1.4.2_01\bin\jarsigner -keystore C:\j2sdk1.4.2_01\bin\keystore -storepass MyPasswd irc.jar MyAlias


[Gayle]

Generating the RSA keys using openssl works flawlessly as well. I ran through it last night with no problems

Very useful post Thema.

[john5]

Where exactly is this "Email Cert for MicroSoft"?

[john5]

Anyone?

[Thema]

You have to follow the instructions given guest. The cert is there I can assure you. Just read everything carefully when you get to the Thawte site.

[ed]

Might also try http://www.cacert.org/

[mistery]

When we do this sertification will the popup disapear? Or just give the popup with the information of the certificate?

thx

[Thema]

No.
There are only two ways to remove the cert popup. One is to use a cert that is trusted. If you sign the cert yourself you can ask your clients to trust it as they should trust you. Otherwise you need to be someone that is automatically trusted.

The only other way is to host the IRCD yourself, and host the applet on the same server. However there are other problems with this. How to do this has been explained in great detail elswhere. Do a search for sandbox.

[Chris S]

Is there someone to help me with javakey tool ?
I'm searching le good syntax to put in my dos window.
I don't really understand the help
I try:
javakey -gk
but i don't know what i must put after this. In the tuto at top of this post, the example is done with an old tool. Well, le commands are different.
I've done all the rest of process with thawte, and i'm at the end.
Sorry for my bad english, i'm french. Then replies in french are accepted

[Chris S]

Sorry for my previous post, if an admin can delete it. I've not saw that my JDK wasn't the latest.
Then, now, i've got my cert, ok. but in the instructions i still don't understand the part for MS E-mail. In outlook when i try to obtain a cert, this redirect me to a MS common page that don't speak about cert.
What must i do at this step ?
Please help me.
Thanks in advance

[Thema]

I'm sorry Chris S but the Thawte site are responsible for assisting you with obtaining their certs. Not Plouf. When I followed this path some long while back it was very easy. If things have changed since then, I cannot help. However you only need the MS Cert to sign cabs. If you only provide the jar files, and a link to the Sun JVM download, then there isn't a problem. MS are phasing out their JVM anyway, and soon there will only be Sun.

[Chris S]

Ok, thanks for your reply.
My problem is i don't understand if i must have 2certs (one for jar and another for cab) or not ??
I've got my thawte's cert. Ok. With this, i'm supposed to be able to sign my pjirc applet myself. I'm right?
And, if i want certifiate the cab-files, i must have a MS cert. I'm right ?
If not, my users must install sun-java system in replacement of the one integrated in IE for they be able to open the applet? I'm allways right ?

[Thema]

You are always right

[Chris S]

Ok, then, the next step for me is to obtain an MS cert.
The question is: how ?? !
When i try to follow the links on the OE options to get a cert, that send me elsewhere. And when i search info for getting a MS cert then i found nothing.
It's a bit rageous to be so near of the end...
someone understand my problem ?
It's difficult to me to clearly explain it in english.

[Thema]

You need to follow the instructions for the X.509 Format Certificates.

Choose Microsoft. when you are asked which you want.

The browser will still complain that whilst the cert is from a trusted source, it is not being used for the certified application as it's an email cert. Still it's better then not being trusted at all. If you want your name included in it you will need to join the Web Of Trust program.

[Joop]

Hello,

i want to make my own cert for sun and ms with openssl.
how i create an cert for sun and how for ms

thanks!

[Guest]

I tried to use keytool -import command for the my.cert file, but it says 'input is not x.509 certificate', then i use thawtecleaner.jar to create a my.cert.clean and then use the keytool -import again on the my.cert.clean, and it still says 'input is not x.509 certificate'.

did I miss something? can someone help me?
Thanks

[Thema]

This post is quite old now, and things might have changed, however, the last time I looked into it, it was accurate.

However I seem to recall that it was the PK7 cert that you must use. Not an x509

[w33]

This post is quite old now, and things might have changed, however, the last time I looked into it, it was accurate.

So this thread isn't useful anymore?

I was able to get personal certificate from Thawte for both Netscape & IE.
Then I generated an RSA key with the Java keytool utility.
Then exported the key to a text file.

But when I used
https://www.thawte.com/cgi/personal/cert/x509.key.exe
site to generate certificate public key, it gave me the following error:

You did not set the PKCS#10 CN appropriately.

It says to

Set the CommonName (sometimes called the "Domain Name" by server SSL key management packages) attribute to the following string (case sentitive):

But I don't know where should I do that...

Any idea?

[Thema]

When I made the original post all the information was accurate, and based on my own experience as a n00bie needing to sign my own code.

I checked the information in the post less then 2 months ago, and at that time it was still accurate. The procedure is so complex, and vague, even on Thawte's website that I honestly can't see a way to make it easy for you. All I can say is that if you persevere, even to the extent of making new keys only to throw them away again. Then do so. You will find it in the end.