How to Sign Java Applications and Applets

Apr 17, 2018 | Jindřich Zechmeister

Java is considered a low-trust platform. It still suffers from a large number of vulnerabilities, and signing a Java application or applet is absolutely essential for gaining the trust of the end user. This article provides a step-by-step guide on how to request a certificate for signing Java applets and how to start using it.

What Are Certificates for Application Signing Used For

Like other certificates, Code Signing certificates are used to increase security; however, they are not used for communication between a browser and a server, but for digital signing of applications. The use of the certificate is similar to an electronic signature, as we know from email communication.

The main significance of code signing is as follows:

  1. Proving the origin of the application and the identity of the publisher
  2. Proving the integrity of the code during transmission to the user

As with an electronic signature, it is necessary to prove the identity of the publisher so that we can be sure that the software does not come from an untrustworthy source. Likewise, it is important to check the integrity of the data, that is, their completeness and immutability. Thanks to the digital signature of the application, we can be sure that no one has changed the application after it was issued. For users of your application, the signature is a guarantee that the program comes from you and has not been changed after issuance.

What is the Benefit of a Code Signing Certificate for Java?

I mentioned the general features and benefits of a code signing certificate. In addition to the aforementioned benefits, a Java application signing certificate allows you to:

  • sign Jar files for desktop platforms.
  • uses the hash algorithm Secure Hash Algorithm SHA-1 and optionally the more advanced SHA 2.
  • compatibility with Runtime Environment (JRE).
  • proves the origin and security of the code to the user, helps reduce the number of warning messages

Java is considered a less trusted platform. It still has issues with a large number of vulnerabilities, so signing the Java application or applet is absolutely crucial for the trust of the target user.

How to Request a Java Certificate

Aside from ordering a code signing certificate from SSLmarket, it is also necessary to address cryptographic aspects, such as CSR requests and private keys.

After signing Java applications and applets, you will need JDK (Java Development Kit) distributed by Oracle. To work with the certificate and for signing, you will need the keytool, jar, and jarsigner programs from this package.

Creating a Keystore and Private Key

Before generating a certificate request, which is a public key, you need to create your private key. You do this with the command

keytool -genkey -keyalg rsa -keystore -alias -keysize 3072

The keystore will prompt you to name it, create its alias, and a password for the keystore. It will also ask for the name of your company.

The key pair is stored in the Keystore after being created and the private key should not be sent anywhere under any circumstances.

Now create a CSR request, which is required for the certificate order. You will be prompted to enter additional information.

keytool -certreq -file certreq.csr -keystore -alias

Insert the created CSR request in the Code Signing certificate order on SSLmarket.

How to Sign with a Certificate

Import the Certificate into the Keystore

After verifying your company, the authority will issue the certificate, and you will receive it from SSLmarket via email. Before use, it needs to be imported into your keystore with the command:

keytool -import -trustcacerts -keystore -alias -file cert.p7b

Please note that the imported P7B file is not the Intermediate certificate sent by us. It is necessary to convert the SSL certificate from SSLmarket from PEM format (Base64) to PKCS#7 format, i.e. P7B, and then import it along with the intermediate.

Signing Applications and Applets

To sign a Jar file, use the application jarsigner.

jarsigner -keystore

Add a timestamp with the command:

jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore

During signing, you will be prompted to enter the Keystore password, which you created when setting it up.

Verification of the Signature

You will surely want to verify your new signature. You can do this with the command

jarsigner -verify -verbose -certs C:TestApplet.jar

If everything is in order, you can publish the signed application on the internet and make it available to users. When users download your Java program or applet, their Java Runtime Environment will display your digital ID from the signature.

Find More Information in the Documentation

This article serves as a quick guide to signing Java applications. It is recommended to study Oracle's complete documentation, which covers the entire issue of signing Java applications and applets. You can find it on the website The Java Tutorials.

Previous article
Next article
Ing. Jindřich Zechmeister
TLS certificate specialist
Certificated Sales Expert Plus
e-mail: jindrich.zechmeister(at)zoner.com