VeriSign Code Signing for Sun Java For developers and software publishers of Java applications for desktop and mobile devices,
code signing reduces error messages and builds trust in your reputation. VeriSign® Code Signing
Certificates for Sun Java® authenticate your identity and validate code integrity.
- Digitally sign .jar files for desktop and midlet mobile Java platforms
- Show customers that your code and content is safe to download
- Protect your brand and your reputation with a trusted digital signature
- Reduce the cost of maintaining code with a free timestamp
- Digitally sign files for Netscape Object Signing
- Recognized by Java Runtime Environment (JRE)
Benefits of VeriSign Code Signing
- Increase the adoption and distribution of downloadable software with digital signatures
- Build a trusted relationship for your brand by reducing error messages and security warnings
- Protect users from downloading harmful files
- Go with the leader: VeriSign supports more platforms than any other provider
Enrollment Process
- Generate a Certificate Signing Request (CSR)
It looks something like this:
Step 1: Download Signing Tools
If you have not already done so, download the Java 2 Software Development Kit (SDK). The latest version is available
free of charge for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms from
http://java.sun.com/javase/downloads/index.jsp
You will be using the keytool, jar, and jarsigner to apply for your Code Signing Digital ID and sign your code.
Step 2: Enrollment
Create a Keystore
To generate a public/private key pair, enter the following command, specifying a name for your keystore and an alias as well
keytool -genkey -keyalg rsa -keystore <keystore_filename> -alias <alias_name>
Keytool prompts you to enter a password for your keystore, your name, organization, and address. The public/private key pair generated by keytool is saved to your keystore and will be used to sign Java Applets and applications. This key is never sent to VeriSign and is required to sign code. VeriSign encourages you to make a copy of the public/private key pair and store it in a safe deposit box or other secure location. If the key is lost or stolen, contact VeriSign immediately to have it revoked.
Generate a CSR
You need to generate a Certificate Signing Request (CSR) for the enrollment process.
The following command requests Keytool to create a CSR for the key pair in the keystore:
keytool -certreq -file certreq.csr -keystore <keystore_filename> -alias <alias_name>
Begin the enrollment process for a Code Signing ID from the products and services section of the VeriSign Web site.
Copy the contents of the CSR and paste them directly into the VeriSign enrollment form. Open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
- Select Certificate Options - choose a validity period.
Validity period: a longer validity period reduces the annual cost of your VeriSign® Code Signing Certificate for Microsoft® Authenticode®.
The validity period is the active lifespan for the certificate. At the end of the validity period, the certificate must be renewed to remain active. A longer
validity period typically includes cost savings and you won't need to renew the certificate as often for it to remain active. A shorter validity period
provides greater security and integrity because the certificate's common name and organizational information must be re-authenticated more often.
Requesting 2 and 3-Year Certificates
Note the following restrictions when selecting a 2 or 3-year validity period:
- A 3-year SSL Certificate is compatible only with a 2048-bit private key (or stronger). When generating your CSR, make sure the generated key is at least
2048 bits. Note: This does not apply to Code Signing IDs.
- The 2 and 3-year options are not available for CodeSigner Pro.
- For certificate and organizational integrity, your organization will be re-authenticated after two years (with no action required on your part).
If your organization name or domain ownership has changed since purchasing this certificate, the certificate may be subject to revocation.
- Enter Required Information
- Technical contact: Name, address, phone number, and the email address where the certificate and renewal notices should be delivered.
- Certificate information: The organization name that will appear in the code signing certificate. Provide the cryptographic service provider (the software or hardware token where the key pair will be generated), and a backup location for your private key such as a hardware token.
- Challenge phrase: A password used to renew or revoke your certificate.
- Organizational contact: VeriSign contacts this person to authorize your certificate request as part of the certificate authentication process. Provide accurate information to expedite the process and to ensure that renewal notices reach the organization contact.
- Payment information: VeriSign must receive payment before delivering your certificate.
- Pickup Your Code Signing Certificate.
Once approved and payment is received, you will receive an issuance email containing your VeriSign® Code Signing
Certificate as a PKCS#7 text file. You can copy the certificate from the email and import it into the certificate keystore
Digital Shrink Wrap to Protect Your Brand
VeriSign® Code Signing Certificates provide a virtual "shrink wrap" for secure delivery of content over the Internet.
When customers download software with Java Signed objects, verified by VeriSign, they can be assured of the content
source and the content integrity. Code Signing adds a level of trust to your applications and makes them harder to falsify
or damage, protecting your brand and your intellectual property.
Increase Customer Confidence and Reduce Errors
Java platforms (J2SE and J2ME) include security features that recognize Object Signing and check for a trusted
digital signature. A security warning shows the publisher's name, organization, and URL. A user chooses whether
or not to trust the certificate or views more information about the certificate. Most devices and most applications
recognize VeriSign as a Certificate Authority and recommend trusting applications signed with a VeriSign Code Signing
Certificate.
Make the Most of your Code Signing Investment
With VeriSign Code Signing Certificates, developers select a platform, a validity period and install the certificate on their
desktop or a USB drive. A timestamp option shows when code was signed, allowing customers to verify that the code
signing certificate was valid at the time of the digital signature.
The Leader in Online Trust and Security
VeriSign supports more platforms than any other code signing provider with the most reliable infrastructure and the most
trusted security brand on the Internet (Tec-Ed Whitepaper, PDF, Oct. 2007). Because VeriSign root certificates come
preinstalled on most end users’ devices and embedded in most applications, the digital signature authentication and verification
process is seamless and transparent to most end users.
|
