Using Netscape Code-signing Cert with Sun Java Tools

M. Gallant 07/07/2001

[Update: J2 SDK V1.4.0 now includes JSSE and explicit install/registration steps mentioned below are not necessary.
Consult JSSE page for latest update information.]

The PKCS#12 crypto-standard specifies a standard for securely porting the public and private keys in this encrypted and password protected container. Both Netscape Communciator 4.4+ and Internet Explorer 4+ support exporting imported code-signing keys/certs in pkcs#12 file format. However, the default implementation of keystore provided with J2 SDK V1.3 and lower does not contain a keystore provider to handle pkcs#12 certificate store files. Therefore, it is not possible to use the J2SE tools keytool.exe and jarsigner.exe with exported private keys within PKCS#12 containers.

However, a PKCS#12 keystore implementation is provided with JSSE 1.0.2 (Java Secure Socket Extension). Currently, this implementation of PKCS#12 provides capability to read and use such files exported from Netscape (but not currently from IE) with keytool and jarsigner successfully. This document describes a typical simple example of this.

Several functions of keytool such as -import and -genkey do not appear to be implemented for a pkcs12 type of keystore in the current version of JSSE 1.0.2. It should be possible to use the Keystore API methods with JSSE however to load() and store() several private/public key pairs into one pkcs#12 keystore file.

Note that a JAR archive produced this way with Sun's jar.exe and jarsigner.exe tools does NOT produce the same JAR file as that produced with Netscape's signtool.exe v1.3 utility, even using exactly the same certificate (private and public key). There are differences in the manifest file location within the JAR archive which causes Netscape verification to fail on the JAR archive generated with the J2SE tools.