Self-signing a Java applet

Part of my role as a system analyst involves performing enhancement works on Java applets. Recently, the company had decided to self sign all the applets in the system so that our system infrastructure colleagues can save some time when we upgrade the Java runtime version on all our client machines.

This post documents my process of self-signing a Java applet.

Generating the keystore

The first thing that I did was to generate the keystore. The keystore is a file that contains encryption keys for signing Java applets. I create the keystore and a key with the following command.

keytool -genkey -keystore techcoil_research.jks -alias -validity 36500

The command can be broken down into the following pieces:

  • keytool is the command line application provided in my Java Development Kit for generating the key and the keystore.
  • -genkey tells keytool to generate an encryption key.
  • -keystore techcoil_research.jks lets keytool know that I want my keystore to be saved as techcoil_research.jks in my current working directory. The .jks extension is for me to remember that the file is a java keystore. It is important to note that the keystore file cannot be renamed by other facilities - if I want a keystore with another name, I will need to use the keytool to do it.
  • -alias names my key as so that I can find it later.
  • -validity 36500 allows me to use my key for 36500 days after I generate my key.

After entering the command, the keytool asked me a few questions. The following was my interaction trace with the keytool, which was rather self-explanatory:

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Clivant Yeo
What is the name of your organizational unit?
  [Unknown]:  Research
What is the name of your organization?
  [Unknown]:  Techcoil
What is the name of your City or Locality?
  [Unknown]:  Singapore
What is the name of your State or Province?
  [Unknown]:  Singapore
What is the two-letter country code for this unit?
  [Unknown]:  SG
Is CN=Clivant Yeo, OU=Research, O=Techcoil, L=Singapore, ST=Singapore, C=SG corr
  [no]:  yes

Enter key password for <>;
        (RETURN if same as keystore password):

Signing the Java applet

With the keystore on hand, I then proceed to sign the MessageSendingApplet with the jarsigner tool:

jarsigner -keystore techcoil_research.jks MessageSendingApplet.jar

The command can be broken down into the following pieces:

  • jarsigner is a tool from the Java Development Kit that I can use for signing a Java archive.
  • -keystore techcoil_research.jks tells jarsigner to use the keystore file that I had generated in the working directory to look for the key to sign the jar file.
  • MessageSendingApplet.jar is the java archive file that I wish to sign, which in this case, a Java applet from a proof of concept.
  • is the key which I want jarsigner to use to sign my Java applet.

Upon entering the command, the jarsigner asked me for the password to the keystore:

Enter Passphrase for keystore:

And since I had earlier indicated that my key had the same password as the keystore, the jarsigner did not ask for the password for the key.

About Clivant

Clivant a.k.a Chai Heng enjoys composing software and building systems to serve people. He owns and hopes that whatever he had written and built so far had benefited people. All views expressed belongs to him and are not representative of the company that he works/worked for.