Signing Java Applet with Own Certification Authority (CA)

Java Applet needs to be signed to run restricted methods like accessing local file system, recording contents.

To sign the applet, you normally needs to get certification from commercial companies like VeriSign,Thawte, which cost you few hundred dollars per year.

If you do not want to pay that money, you can create your own CA certificate to sign your applet. The side effect is that you will get some warning when applet starts.

Software you needed are OpenSSL, JDK and KeyStore Explorer.


Create Default KeyStore if not exist
Create a key by keytool to create the default key store, which may does not exist. This key will NOT be used later.
keytool -genkey -keyalg rsa -alias MyTempKey


Create Root CA Certificate
Create the private key
openssl genrsa -des3 -out ca.key 4096

Create the public key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt


Create and Sign Intermediate Certificate
Create the private key.
openssl genrsa -des3 -out server.key 4096

Create a certificate request for signing by the Root CA.
openssl req -new -key server.key -out server.csr

Sign the request with the Root CA and make a public key. Type
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt


Import keys to KeyStore
Use KeyStore Explorer to import server.crt and server.key to keystore. Choose "Open The Default KeyStore", during the importing, I choose to set the alias of keys to "xgu" (you can choose any name you like).


Sign the Java JAR
To sign the java applet
jarsigner a_java_applet.jar xgu1

To verify the signed JAR
jarsigner -verify -verbose -certs a_java_applet.jar



References:
http://www.top20toolbar.com/misc/codesigncert.htm
http://download.oracle.com/javase/1.5.0/docs/guide/plugin/developer_guide/rsa_signing.html
http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips