Generate a CSR for Java Code Signing

Certify a Java application (JRE ) helps to avoid safety error messages and reassures customers. The procedure is quite simple, you have to buy a “Code Signing Certificate for Java” from Symantec / Digitcert, Globalsign, GoDaddy or other authority and use this certificate to sign jar files. In order to receive or renew an existing CodeSigning certificate, you must generate a CSR (Certificate Signing Request).

The objective is to avoid this type of error when launching a Java application:

erreur sécurité Java

This tutorial explains how to generate a file CSR to request a Java Code Signing certificate to certify Jar files and secure an application based on Oracle Java or OpenJDK .

Prerequisites: having a JDK installed (Java Development Kit) on the workstation that will execute the command. This one doesn’t need to be a PC as a developer. Here, a Windows workstation is used.

Generate a keystore and a CSR (RSC ) for Java Code Signing certificate

1. Open a Command prompt as Administrator to avoid writing problems on the hard disk.

2. Place yourself in a free folder, for example cd C:\certificate

3. Run the command to create a key that will be generated with the keystore java.

keytool -genkey -keyalg rsa -keystore 

 -alias   -keysize 2048

For example, by searching for the keytool executable in the installation folder of the JDK :

 "C:\Program Files\Java\jdk1.8.0_201\bin\keytool.exe" -genkey -keyalg rsa -keystore keystore_csr -alias alias_csr -keysize 2048

4. Indicate a password to secure this file and confirm it:

Enter the password for the key file:
Re-enter the new password:

5. Answer to all the questions asked:

Enter the password for the key file: Re-enter the new password: What are your first and last names?

[Unknown] : Jean Dupont

What is the name of your organizational unit?

[Unknown] : IT

What is the name of your company?

[Unknown] : SOCIETE

What is the name of your city of residence?

[Unknown] : Paris

What is the name of your state or province?

[Unknown] : IDF

What is the two-letter country code for this unit?

[Unknown] : FR

Is this the case? CN = Jean Dupont , OU== IT , O= SOCIETE , L= Paris ST=, ST= IDF , C= FR ?
[non] : yes

6. Enter a password :

Enter the key password for (press Enter if this is the password for the key file):

Re-enter the new password:

7. Still in the command prompt, generate the file CSR from the keystore:

 keytool -certreq -keystore    -alias    -thread   .csr

Let for example:

 "C:\Program Files\Java\jdk1.8.0_201\bin\keytool.exe" -certreq -keystore "C:\certificate\keystore_csr" -alias alias_csr -file "C:\certificate\newcsr.csr"

8. Confirm the password .

9. Two files have been created in the specified folder. Send the.csr to the certificate authority to create or renew a Java Code Signing certificate.