Ask a Question

Advanced Search

Alert ID : INFO185

Last Modified : 05/03/2018

Symantec Code Signing certificate for Java


To get a Symantec Code Signing certificate for Java please follow the steps below.

Step 1: Download Signing Tools

If you have not already done so, download the Java 2 Software Development Kit (SDK). The latest version is available free of charge for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms from Please make sure that you are using at least version 1.6.*

You will be using the keytool, jar, and jarsigner to apply for your Code Signing Digital ID and sign your code. For MIDlet signing please view: SO19627

Step 2: Enrollment

Create a Keystore

To generate a public/private key pair, enter the following command, specifying a name for your keystore and an alias as well.

Note: The recommended key bit size is 2048-bit. All certificates that will expire after October 2013 must have a 2048 bit key size

keytool -genkey -keyalg rsa -keystore <keystore_filename> -alias <alias_name> -keysize 2048

This will create both the keystore container and the private key within the keystore. The private key will have an unique alias that is extremely important. For example if the command used is:
keytool -genkey -keyalg rsa -keystore javakeystore1.jks -alias mykeystorealias -keysize 2048

Keystore: javakeystore1.jks
Private Key Alias: mykeystorealias

Keytool will prompt to enter a password for the keystore, name, organization, and address. The public/private key pair generated by keytool is saved to your keystore and will be used to sign Java Applets and applications. This key is never sent to Symantec and is required to sign code. Symantec encourages you to make a copy of the public/private key pair and store it in a safe deposit box or other secure location. If the key is lost or stolen, contact Symantec immediately to have it revoked.

Generate a CSR

A Certificate Signing Request (CSR) will need to be generated for the enrollment process. The following command requests Keytool to create a CSR for the key pair in the keystore:

keytool -certreq -file certreq.csr -keystore <keystore_filename> -alias <alias_name>

This CSR will contain all the information entered when the keystore was created. 
This CSR is tied to the private key within the keystore (e.g. -keystore javakeystore1.jks -alias mykeystorealias)

  1. Create a copy of the keystore file. Having a back-up file of the keystore at this point can help resolve installation issues that can occur when importing the certificate into the original keystore file.

  2. Begin the enrollment process for a Code Signing ID from the products and services section of the Symantec Web site.

  3. Copy the contents of the CSR and paste them directly into the Symantec enrollment form. Open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

To begin the enrollment process for a Code Signing ID you can go to the  Symantec Product pages.

Step 3: Begin Using

Import Digital ID

Once Symantec has verified the order & a CSR has been provided, you will be able to retrieve your Symantec Code Signing certificate for Java through the Symantec Trust Center.  A Code Signing Digital ID is a "trust path" or "chain" back to the Symantec root certificate. This "trust path" allows your code to be validated on any standard JRE without installing any additional files.

If you purchased the certificate directly from us, download your Symantec Code Signing certificate for Java from Symantec Trust Center account, click here.

If you purchased the certificate from the Partner Center, click here.

Since the certificate issued was created from the CSR, which is tied to that exact keystore created previously above, it cannot be used for any other keystore. (e.g. The certificate can only be correctly installed into -keystore javakeystore1.jks -alias mykeystorealias).

The certificate is issued in 2 formats:
a) X509 (plus 1 intermediate certificate). Installing this requires careful installation of 2 certificates in the correct order. 
    For more information please view:   SO11251

b) PKCS7 format (.p7b file). This is the recommended file to install as there is only one step to install all 2 certificates:

You should then have a text file that looks like:

[encoded data]

Make sure you have 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional characters have been inadvertently added.

To import your Symantec Code Signing certificate for Java Digital ID into your keystore, enter the following code with the path correct name for your file (for example, “cert.p7b”) to your Code Signing Digital ID.

keytool -import -trustcacerts -keystore <keystore_filename> -alias <alias_name> -file cert.p7b

For example:
keytool -import -trustcacerts -keystore javakeystore1.jks -alias mykeystorealias -file mycert.p7b

Note: The certificate cannot be installed into a different keystore nor a different alias.
Listing the keystore will therefore ONLY show 1 keyEntry, due to the above steps.

For example: keytool -list -v -keystore javakeystore1.jks

KeyEntry: PrivateKeyEntry

Also because of installing the certificate in the PKCS7 format, this PrivateKeyEntry will have 3 certificates in the chain that begins with:
Certificate [1]:
Certificate [2]:
Certificate [3]:

Note: If during the installation, the error occurs: "keytool error: java.lang.Exception: Input not an X.509 certificate” during import process of the Symantec Code Signing certificate for Java into keystore, refer to solution SO18659

Bundle Applet into a JAR File

If you are Signing MIDlets please see solution SO8381 to sign using JADTool command line utilityUse jar to bundle your Applets or applications as a JAR file. This string creates a JAR file (C:\TestApplet.jar). The JAR file contains all the files under the current directory and its sub-directories.

jar cvf <filename>.jar <filename to bundle>

For example:

jar cvf testapplet.jar

Jar responds:

added manifest 
adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%) 
adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)

Sign Your Applet

Note: From JDK 1.7 onwards, extra checks have been added when running java code. To fulfill these, the following attributes need to be added to the manifest file (MANIFEST.MF)

  • Permissions
  • Codebase

Please refer to the below link for the values to be set on these attributes:

  1. Use jarsigner to sign the JAR file with the private key you saved in your keystore.

    jarsigner -keystore <keystore_filename> <path to Applet (ie. C:\TestApplet.jar)> <alias_name>


    To add an RFC 3161(Sha-256) timestamp the command is specified with -tsa as described below:

    Jarsigner -tsa -keystore <keystore_filename> <path to Applet (ie. C:\TestApplet.jar)> <alias_name>

    At the prompt, enter the password to your keystore.

    Important: Symantec recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.

    Note: For legacy SHA-1 timestamping, please use the SHA-1 RFC 3161 timestamping URL:


  1. Jarsigner hashes your Applet or application and stores the hash in the JAR file created in step 5 with a copy of your Code Signing Digital ID.

  2. Verify the output of your signed JAR file.

    jarsigner -verify -verbose -certs d:\TestApplet.jar

    If the signature has included a timestamp, the output of the verify command will include a statement when the entry was signed.

Example: [entry was signed on 7/12/15 1:28 PM]

This should also be followed with the Time Stamp Authority's (TSA) certificate chain.

When the signed JAR file is downloaded, the Java Runtime Environment will display your Digital ID to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option to refuse installation.

Related Information

For more information about the use of the Java 2 Software Development Kit, go to JavaTM 2 Platform, Documentation at: