Using Netscape Code-signing Cert with Sun Java Tools
M. Gallant 07/07/2001
[Update: J2 SDK V1.4.0 now
and explicit install/registration steps mentioned below are not necessary.
Consult JSSE page for
latest update information.]
The PKCS#12 crypto-standard specifies a standard for securely porting
the public and private keys in this encrypted and password protected
Both Netscape Communciator 4.4+ and Internet Explorer 4+ support exporting
imported code-signing keys/certs in pkcs#12 file format.
However, the default implementation of keystore provided with
J2 SDK V1.3 and lower does not contain a keystore provider to handle pkcs#12 certificate
store files. Therefore, it is not possible to use the J2SE tools keytool.exe
and jarsigner.exe with exported private keys within PKCS#12 containers.
However, a PKCS#12 keystore implementation is provided with
JSSE 1.0.2 (Java Secure Socket Extension).
Currently, this implementation of PKCS#12 provides capability to read and use
such files exported from Netscape
(but not currently from IE) with keytool and
jarsigner successfully. This document describes a typical simple example of this.
- Download and install JSSE 1.0.2 (noting export restrictions on this technology)
- Follow simple instructions to install the JSSE jar archives as extension
libraries to your J2RE installation.
- Follow simple instructions to register the SunJSSE provider (provides pkcs#12 Keystore
- Export the Netscape code-signing cert via the menu selection:
Communicator/Tools/Security Info/Yours (Export button). This creates
a pkcs#12 format file with .p12 extension (say nnexternal.p12 for example).
This file is actually a valid Keystore file (with a single private key and public key(s)).
- Verify that your JSSE configuration is correct by listing the contents of this keystore:
C:\WINDOWS\DESKTOP>keytool -list -storetype pkcs12 -keystore nnexternal.p12
Enter keystore password: XXXXXXXXX
Keystore type: pkcs12
Keystore provider: SunJSSE
Your keystore contains 1 entry:
b8d314d7-423f-45f5-bef8-27dfca57fda7, Wed Jan 31 14:59:39 EST 2001, keyEntry,
Certificate fingerprint (MD5): 65:26:5A:C4:1A:5D:7F:98:16:EF:09:FE:2C:4B:79:27
(Note the pkcs12 Keystore type line; also, the numeric alias is a result
of exporting the key from IE (original import location) into Netscape).
- Package up the class files to be signed: jar -cf props.jar props.class
- Digitally sign the JAR archive with jarsigner specifying correct options:
C:\WINDOWS\DESKTOP>jarsigner -storetype pkcs12 -keystore nnexternal.p12 props.jar b8d314d7-423f-45f5-bef8-27dfca57fda7
Enter Passphrase for keystore: XXXXXXXXX
- Verify the signature:
jarsigner -verbose -verify -certs props.jar
C:\WINDOWS\DESKTOP>jarsigner -verbose -verify -certs props.jar
132 Wed Jan 31 14:47:36 EST 2001 META-INF/MANIFEST.MF
185 Wed Jan 31 14:47:36 EST 2001 META-INF/B8D314D7.SF
1860 Wed Jan 31 14:47:36 EST 2001 META-INF/B8D314D7.RSA
0 Wed Jan 31 14:43:34 EST 2001 META-INF/
sm 459 Thu Jan 14 12:17:34 EST 1999 props.class
X.509, CN=Security Development, OU=devices, O=nortel external
X.509, OU=NorlockPKI, O=nortel external
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
Several functions of keytool such as -import and -genkey do not
appear to be implemented for a pkcs12 type of keystore in the current
version of JSSE 1.0.2. It should be
possible to use the Keystore API methods with JSSE however to load()
and store() several private/public key pairs into one pkcs#12 keystore
Note that a JAR archive produced this way with Sun's jar.exe and
jarsigner.exe tools does NOT produce the same JAR file as that
produced with Netscape's signtool.exe v1.3 utility, even using
exactly the same certificate (private and public key). There are
differences in the manifest file location within the
JAR archive which causes Netscape verification to fail on the JAR
archive generated with the J2SE tools.