Generate a CSR for Java Code Signing

Certifying a Java Application (JRE) helps prevent security error messages and reassures customers. The procedure is quite simple, you have to buy a “Code Signing Certificate for Java” from Symantec / Digitcert, Globalsign, GoDaddy or other authority and use this certificate to sign the jar files. In order to receive or renew an existing CodeSigning certificate, you must generate a CSR (Certificate Signing Request).

The goal is to avoid this type of error when launching a Java application:

Java security error

This tutorial explains how generate a CSR file to request a Java Code Signing certificate in order to certify Jar files and secure an application based on Oracle Java or OpenJDK.

Prerequisite: have a JDK installed (Java Development Kit) on the computer that will run the command. This doesn’t have to be a developer’s PC. Here, a Windows station is used.

Generate a keystore and a CSR (RSC) for Java Code Signing certificate

1. Open a Command Prompt as Administrator so as not to have a problem writing to the hard disk.

2. Go to a free folder, for example cd C: certificate

3. Execute the command to create a key which will be generated with the keystore Java.

keytool -genkey -keyalg rsa -keystore <path_and_create_a_KeystoreFilename> -alias <create_Aliasname> -keysize 2048

Either for example, by looking for the keytool executable in the JDK installation folder:

"C:Program FilesJavajdk1.8.0_201binkeytool.exe" -genkey -keyalg rsa -keystore keystore_csr -alias alias_csr -keysize 2048

4. Indicate a password to secure this file and confirm it:

Enter the keystore password:
Enter the new password again:

5. To respond to all the questions asked:

Enter the keystore password:
Enter the new password again:
What are your first and last names?
[Unknown]: Jean Dupont
What is the name of your organizational unit?
[Unknown]: IT
What is the name of your business ?
[Unknown]: society
What is the name of your city of residence?
[Unknown]: Paris
What is the name of your state or province?
[Unknown]: IDF
What is the two letter country code for this unit?
[Unknown]: FR
Is it CN =Jean Dupont, OR =IT, O =society, L =Paris, ST =IDF, C =FR ?
[non]: Yes

6. Enter a password :

Enter the key password for
(press Enter if this is the keystore password):
Enter the new password again:

7. Still in the command prompt, generate the CSR file from the keystore:

keytool -certreq -keystore <path_and_KeystoreFilename_from_step1> -alias <Aliasname_from_step1> -file <path_and_create_CSRFilename>.csr

Either for example:

"C:Program FilesJavajdk1.8.0_201binkeytool.exe" -certreq -keystore "C:certificatkeystore_csr" -alias alias_csr -file "C:certificatnouveaucsr.csr"

8. Confirm the password.

9. Two files have been created in the specified folder. Send the .csr to the certificate authority to create or renew a Java Code Signing certificate.

Leave a Comment