Java Code Signing: Generate a CSR

To request a code signing certificate, you have to provide us a certificate signing request (CSR) generated from the machine you’ll use to sign the code. We’ll use the information in this file to validate your request and provide the information to anyone downloading your code.

 Note: You must generate the CSR from your local machine and not from the web server you’re using to host the file.

Windows-only preparation

If you use Windows, you must complete the following steps before generating your CSR.

  1. Run cmd as an administrator.
  2. Move to your JDK installation’s bin directory:
    cd C:\Program Files\java\jdkversion number\bin

Create a keystore

To store your public and private keys (used to sign your code), you must create a keystore. You’ll use this repeatedly throughout the code signing certificate request and installation process.

  1. Create a keystore called codesignstore:
    keytool -genkey -alias codesigncert -keyalg RSA -keysize 2048 -keystore codesignstore
  2. Complete the information requested from you at the command prompt. There are a few important things to note:
    • It’s important that this information is consistent with everything else you plan to use in your request.
    • Note your keystore’s password because you must have it to sign your Java code.

Generate a CSR

Now, use your keystore to create your certificate signing request (which you will use to request the certificate you purchased from IFindHost – CheapDomainRegistration.com).

  1. Generate your CSR:
    keytool -certreq -v -alias codesigncert -file mycsr.pem -keystore codesignstore
  2. Enter your keystore’s password and press enter.
  3. Open your CSR. How you do that depends on your OS:
    OS Command
    Mac OS X
    nano mycsr.pem
    Windows
    start notepad "mycsr.pem"
  4. Copy your CSR, including the entirety of the lines containing BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST.

Next step

Windows: Generate CSR for code or driver signing certificate

To request a code signing certificate or a Windows driver signing certificate, you have to provide us a certificate signing request (CSR) generated by the machine you use to sign the code. We’ll use the information in this file to validate your request and provide the information to anyone downloading your code or driver.

If you’re using Windows 7 you can generate the CSR through Microsoft Management Console (mmc.exe).

 Note: It’s important that you generate the CSR from your local machine and not from the web server you’re using to host the file.

Add certificates snap-in to MMC

  1. In your Windows search feature, enter mmc, and then click it to launch the Microsoft Management Console application.
  2. From File, click Add/Remove Snap-in.
  3. Click Certificates and then click Add.
  4. Select Computer account, and then click Next.
  5. Select Local computer, and then click Finish.
  6. Click OK.

Generate CSR & private key

  1. In MMC, expand Certificates (Local Computer) and then Personal.
  2. Right-click Certificates, and then go to the following menus: All Tasks > Advanced Operations > Create Custom Request.
  3. Click Next.
  4. Click Active Directory Enrollment Policy.
  5. From Template, click Web Server.
  6. Ensure the Request format is PKCS #10, and then click Next.
  7. Click the downward-facing arrow next to Details, and then click Properties.
  8. From the Type menu, select the following values, enter the corresponding Value, and then click Add:
    Type Value
    Common name Your business or organization’s name
    Organization Your business or organization’s name
    Locality Your business or organization’s address
    State The state where your business or organization resides
    Country The country where your business or organization resides
  9. Click the General tab, and then enter a Friendly name you can use to refer to the certificate.
  10. Go to the Private Key tab, click Key type, and then select Make private key exportable.
  11. Click OK, and then click Next.
  12. Browse for the location where you want to save the file, enter a File Name, and then click Finish.

Your CSR is now stored in the file you saved it to on your local machine.

This process also creates a private key, which you will need to use later to create a PFX file to sign your code or driver.

Next step

Change your domain name (common name)

You can change your SSL certificate’s “common name” which is the primary domain name that the certificate secures and encrypts.

Additional Details

  • With Deluxe and Extended Validation SSLs, you can only change the common name; you cannot change the organization’s information.
  • You must go through the domain verification process for your new common name’s domain name.
  • Requesting a new common name does not affect your SSL’s expiration.
  • Your old common name can create secured connections for 72 hours after you complete the change to your common name.
  • If your certificate is attached to one of our shared hosting services, changing your certificate’s common name does not change the associated service’s domain name. You must change the service’s domain name separately (more info).

Change the common name

  1. Log in to your IFindHost – CheapDomainRegistration.com account and open your product.  (Need help opening your product?)
  2. Click Rekey & Manage.
  3. Click Change the site that your certificate protects.
  4. Select one of the following based on where your website is hosted:
    Hosted Do this…
    Shared hosting or Site Builder Select Change to a hosted domain, and then select the domain name you want to use.
    Elsewhere Deselect Change to a hosted domain. Enter the Common name you want to use for the certificate.
  5. Click Save.
  6. If you provided a CSR for the server using the SSL certificate and are moving to a new server, you’ll need to re-key the certificate (more info).
  7. Click Submit All Saved Changes.

You’ll now need to verify the request for the new common name (more info).

Rekey certificate

Re-keying an SSL certificate refers to creating a new private key for your certificate, which is used in the process of encrypting and decrypting data sent from and to your website.

 Warning: Re-keying is only available to certificates installed on customers’ own servers. Certificates installed on any of our services never need to be re-keyed.

By creating a new private key, you invalidate your certificate’s old private key; this means you must install your new, re-keyed certificate within 72 hours of re-keying.

You should re-key your SSL certificate when:

Before You Begin

Before you can re-key your SSL certificate, you must generate a new certificate signing request (CSR) from your Web server. For instructions, see Generate a CSR (certificate signing request).

The information in your new CSR must be identical to the information for your existing certificate, i.e. you cannot change the organization’s information (although you can change the domain name you’re securing). If you need to change your certificate details, you must revoke the certificate in your account, purchase a new SSL credit, and complete the SSL request again.

 Note: We automatically deactivate the previous certificate when we issue the new, re-keyed certificate. Do not revoke unless you are certain you want to cancel the existing certificate. When you revoke, the SSL credit is canceled and you cannot re-key the certificate.

To Re-Key Your SSL Certificate

  1. Log in to your IFindHost – CheapDomainRegistration.com account.
  2. Under SSL Certificates, next to the certificate you want to use, click Manage.
  3. Next to the certificate you want to use, in the Actions column, click View Status.
  4. Click Manage.
  5. Click Re-Key certificate.
  6. In the Certificate Signing Request (CSR) field, paste your new CSR, including —-BEGIN NEW CERTIFICATE REQUEST—- and —-END CERTIFICATE REQUEST—-.
  7. Click Save.
  8. Click Submit all saved changes.

Your newly re-keyed certificate is immediately available for download (more info).

 Warning: We’ll remove the old certificate from our system within 72 hours. To ensure continuity of service, you must install the re-keyed certificate immediately (more info).

Install SSL certificates

After you’ve generated a CSR and requested a certificate, you can download your certificate files, and then install them on your server.

 Note: This is not a comprehensive list of installation instructions. For installation instructions outside of the list below, please refer to your server documentation.

SSL certificates

Most popular:

Misc.

Code & driver signing certs

Download my SSL certificate files

If you’re installing your SSL on your own server, after we approve your SSL certificate request, you can download your primary and intermediate certificate from within the SSL application.

 Note: If you are moving your SSL certificate to a new server, if your server has crashed, if you have lost your private key, or receive an error message that the private key does not match, you cannot just re-install your certificate; you must re-key your certificate (more info).

If your website is hosted through us (e.g. the primary domain on a IFindHost – CheapDomainRegistration.com shared hosting account, Website Builder), you don’t need to use these instructions; we take care of the SSL installation for you.

  1. On your SSL certificate home page, click Download.
    1. Not in your SSL control panel? Log in to your IFindHost – CheapDomainRegistration.com account.
    2. Click SSL Certificates.
    3. Complete step 1 above.
  2. Select the Server type you want to install the certificate on.
  3. Click Download ZIP file.

Generate a CSR (certificate signing request)

To request an SSL certificate for your server or a code/driver signing certificate, you have to generate a certificate signing request (CSR). This identifies which server will use your certificate, as well as the domain names (common names) you’ll use for SSL certificates.

 Note: If you’re using an SSL certificate on the primary domain name of a IFindHost – CheapDomainRegistration.com shared hosting account, you do not need to generate a CSR; we take care of that for you.

How you generate a CSR depends on the type of certificate you’re requesting and your operating system/control panel.

SSL certificates Code/driver signing

Miscellaneous CSR instructions:

Our SSL certificates are compatible with all types of web servers, even if we do not have CSR instructions for them. Please contact your server documentation for further information on generating a CSR if you do not find the instructions that you need above.

Request an SSL certificate

After you purchase an SSL certificate, you need to request it for the website’s domain name (or “common name”) you want to use.

Before you start

Before you request your certificate, we recommend checking out the following information:

Activate your credit

  1. Log in to your IFindHost – CheapDomainRegistration.com account.
  2. Click SSL Certificates.
  3. Next to the SSL certificate credit you want to use, click Set up.
  4. If you have multiple credits, select the credit you want to use, and then click Set up.
  5. Refresh the page; you should see a New Certificate. If you don’t, continue to refresh the page until you do.

Request your certificate

  1. Next to your New Certificate, click Manage.
  2. Select one of the following based on where you’re hosting your certificate:
    Where’s it hosted? What to do
    IFindHost – CheapDomainRegistration.com hosting or site builder Select the domain hosted in your account you want to use.
    Anywhere else Select Provide a CSR, and then enter the CSR from your server. If you need help, see Request an SSL certificate

    NOTE: If you’re requesting a UCC certificate, your CSR should include the SANs you want to use.

  3. UCC certs only — Enter any Subject Alternate Names you want to use, and then click Add.
  4. Depending on your issuance type, do one of the following:
    Issuance Type Select…
    Standard Click Request Certificate.
    Deluxe, Extended Validation (EV) Click Next, and then complete the information on the following page. We’ll use this information to verify you control the common name for which you requested the certificate so it must match whatever documentation you provide us.

    Click Finished.

Next step