General Information ID : INFO1428
To get a Java Code Signing Certificate please follow the steps below.
Step 1: Download Signing Tools
If you have not already done so, download the Java 2 Software Development Kit (SDK). The latest version is available free of charge for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms from
You will be using the keytool, jar, and jarsigner to apply for your Code Signing certificate and sign your code.
Step 2: Enrollment
Create a Keystore
To generate a public/private key pair, enter the following command, specifying a name for your keystore and an alias as well.
Note: The recommended key bit size is 2048-bit. All certificates that will expire after October 2013 must have a 2048 bit key size
Keytool prompts you to enter a password for your keystore, your name, organization, and address. The public/private key pair generated by keytool is saved to your keystore and will be used to sign Java Applets and applications. This key is never sent to Thawte and is required to sign code. Thawte encourages you to make a copy of the public/private key pair and store it in a safe deposit box or other secure location. If the key is lost or stolen, contact Thawte immediately to have it revoked.
Generate a CSR
You need to generate a Certificate Signing Request (CSR) for the enrollment process.
To begin the enrollment process for a Java Thawte Product's page.
Step 3: Begin Using
Import Java Code Signing Certificate
Once Thawte has verified your identity, we will send a confirmation once the certificate has been issued.
Your certificate can be downloaded via your account at the following link:
Please select the correct link below to download your certificate:
To import your Code Signing certificate into your keystore, enter the following code with the path correct name for your file (for example, “cert.p7b”) to your Code Signing certificate.
Bundle Applet into a JAR File
If you are Signing MIDlets please see solution SO16957 to sign using JADTool command line utilityUse jar to bundle your Applets or applications as a JAR file. This string creates a JAR file (C:\TestApplet.jar). The JAR file contains all the files under the current directory and its sub-directories.
adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%)
adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)
Sign Your Applet
To add an RFC 3161(Sha-256) timestamp the command is specified with -tsa as described below:
At the prompt, enter the password to your keystore.
Important: Thawte recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.
Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
(The timstamp.dll filename is required to conform to old MS-DOS naming convention).
The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp
The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp
If the signature has included a timestamp, the output of the verify command will include a statement when the entry was signed.
Example: [entry was signed on 7/12/15 1:28 PM]
This should also be followed with the Time Stamp Authority's (TSA) certificate chain.
When the signed JAR file is downloaded, the Java Runtime Environment will display your Code Signing certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option to refuse installation.
For more information about the use of the Java 2 Software Development Kit, go to JavaTM 2 Platform, Documentation at: