So, you are trying to run an applet or a java web start application delivered over the browser. Your applet/application
needs to perform some privileged operation such as reading local resources or writing to a file.
The jvm sandbox security wouldn't allow you to perform these operations. In order to do this, your applet/application
jar needs to be signed by a certificate from a Certifying Authority (CA). You can get away with a self signed
certificate except that it would generate a warning when the jar is downloaded by the client. Not a big deal at all
to have a warning show up when we are developing/testing. It is when we are officially distributing the software do we
need to care about using an authenticate certificate from a Certifying Authority. If you are wondering how to go about
generating your own certificate and how to sign the jar, please read on for solution.
Jdk comes with a couple of tools that help us generate a certificate and also sign the jar. The tools we would use for this purpose are:
- Use keytool to generate the certificate and the keystore
- Use jarsigner to sign the jar
It also creates a self-signed certificate (using the default "SHA1withDSA" signature algorithm) that includes the public key and the distinguished name information. This certificate will be valid for 360 days, and is associated with the private key in a keystore entry referred to by the alias "selfsigned". The private key is assigned the password "welcome".
The command could be significantly shorter if option defaults were accepted. As a matter of fact, no options are required; defaults are used for unspecified options that have default values, and you are prompted for any required values. Thus, you could simply have the following:
In this case, a keystore entry with alias "mykey" is created, with a newly-generated key pair and a certificate that is valid for 90 days. This entry is placed in the keystore named ".keystore" in your home directory. (The keystore is created if it doesn't already exist.) You will be prompted for the distinguished name information, the keystore password, and the private key password.
You should be able to see a file named selfsignedstore.jks in your folder.
Now that you have generated the certificate, the next step is to sign your jar. Ensure the keystore selfsignedkeystore.jks and the jar to be signed are in the same folder from which you are executing jarsigner. If they are not in the same folder, then copy them over to the same folder. Then execute the below command to sign the jar: