Java Code Signing: Generate a CSR

To request a code signing certificate, you have to provide us a certificate signing request (CSR) generated from the machine you’ll use to sign the code. We’ll use the information in this file to validate your request and provide the information to anyone downloading your code.

 Note: You must generate the CSR from your local machine and not from the web server you’re using to host the file.

Windows-only preparation

If you use Windows, you must complete the following steps before generating your CSR.

  1. Run cmd as an administrator.
  2. Move to your JDK installation’s bin directory:
    cd C:\Program Files\java\jdkversion number\bin

Create a keystore

To store your public and private keys (used to sign your code), you must create a keystore. You’ll use this repeatedly throughout the code signing certificate request and installation process.

  1. Create a keystore called codesignstore:
    keytool -genkey -alias codesigncert -keyalg RSA -keysize 2048 -keystore codesignstore
  2. Complete the information requested from you at the command prompt. There are a few important things to note:
    • It’s important that this information is consistent with everything else you plan to use in your request.
    • Note your keystore’s password because you must have it to sign your Java code.

Generate a CSR

Now, use your keystore to create your certificate signing request (which you will use to request the certificate you purchased from IFindHost – CheapDomainRegistration.com).

  1. Generate your CSR:
    keytool -certreq -v -alias codesigncert -file mycsr.pem -keystore codesignstore
  2. Enter your keystore’s password and press enter.
  3. Open your CSR. How you do that depends on your OS:
    OS Command
    Mac OS X
    nano mycsr.pem
    Windows
    start notepad "mycsr.pem"
  4. Copy your CSR, including the entirety of the lines containing BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST.

Next step

Windows: Generate CSR for code or driver signing certificate

To request a code signing certificate or a Windows driver signing certificate, you have to provide us a certificate signing request (CSR) generated by the machine you use to sign the code. We’ll use the information in this file to validate your request and provide the information to anyone downloading your code or driver.

If you’re using Windows 7 you can generate the CSR through Microsoft Management Console (mmc.exe).

 Note: It’s important that you generate the CSR from your local machine and not from the web server you’re using to host the file.

Add certificates snap-in to MMC

  1. In your Windows search feature, enter mmc, and then click it to launch the Microsoft Management Console application.
  2. From File, click Add/Remove Snap-in.
  3. Click Certificates and then click Add.
  4. Select Computer account, and then click Next.
  5. Select Local computer, and then click Finish.
  6. Click OK.

Generate CSR & private key

  1. In MMC, expand Certificates (Local Computer) and then Personal.
  2. Right-click Certificates, and then go to the following menus: All Tasks > Advanced Operations > Create Custom Request.
  3. Click Next.
  4. Click Active Directory Enrollment Policy.
  5. From Template, click Web Server.
  6. Ensure the Request format is PKCS #10, and then click Next.
  7. Click the downward-facing arrow next to Details, and then click Properties.
  8. From the Type menu, select the following values, enter the corresponding Value, and then click Add:
    Type Value
    Common name Your business or organization’s name
    Organization Your business or organization’s name
    Locality Your business or organization’s address
    State The state where your business or organization resides
    Country The country where your business or organization resides
  9. Click the General tab, and then enter a Friendly name you can use to refer to the certificate.
  10. Go to the Private Key tab, click Key type, and then select Make private key exportable.
  11. Click OK, and then click Next.
  12. Browse for the location where you want to save the file, enter a File Name, and then click Finish.

Your CSR is now stored in the file you saved it to on your local machine.

This process also creates a private key, which you will need to use later to create a PFX file to sign your code or driver.

Next step