DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Java code signing certificate guide

Solution ID : TL260623213927
Last Modified : 10/08/2024


Sign code with your Oracle Java code signing certificate.

Is your code signing certificate stored on a hardware token or hardware security module? If so, see Sign Java .jar files with a hardware token-based code signing certificate in Windows

These instructions only apply to code signing certificates issued or reissued prior to May 30, 2023; see Code Signing Changes in 2023.


If you already set up your code signing certificate and are ready to sign your Java .jar files,  go to our Sign Java .jar files with jarsigner instructions below. 

Before you begin 

  1. Install the Java Development Kit (JDK).  
    Make sure you have installed the JDK on your server or local computer. You can run the commands in these instructions wherever the keytool command is available.

  2. Are you using Windows?
    To run the commands from Windows, use the command prompt. Ensure your JDK bin folder is already in your PATH environment, for example, C:\Program Files\Java\jdk1.7.0_02\bin.
    Set persistent environment variables.
    • In your Windows start menu, search for environment variables.
    • Select Edit for the system or user account environment.
    • Select New.
    • Add the variable name and value for the environment variables.
    • When ready, select OK.

  3. Make sure you've installed your code signing certificate.
    Once you have the code signing certificate file from DigiCert, install it in the keystore you created when creating the CSR. See Download a code signing certificate.
    • In the command prompt, run the command below to install the certificate.

      keytool -import -trustcacerts -alias server -file YourName.p7b -keystore
      keystore.jks

    • You should receive a message stating: "Certificate reply was installed in keystore."

    • If asked to trust the certificate, type y or yes.

      You've installed your code signing certificate and are ready to sign code.


Sign Java .jar files with jarsigner

After correctly installing the Certificate Authority (CA) signed code signing certificate in the keystore you created, you are ready to start signing code.

Use jarsigner to sign and verify the signature on .jar files.

  1. In the command prompt, run the command below to sign your file. 

    Replace YourPassword with the password used to generate your keystore. Replace YourAlias with the appropriate alias assigned when you generated your CSR.

    Note
    : If you used our Java Keytool CSR Wizard, the alias automatically generated for you is server.

    This command does not provide any output to indicate that your code was successfully signed.

    jarsigner -tsa http://timestamp.digicert.com -keystore
    c:\path\to\your\keystore.jks -storepass YourPassword
    c:\path\to\your\file.jar YourAlias
      

Verify that the .jar file was signed

  1. In the command prompt, run the jarsigner -verify command below to verify that the .jar file was signed successfully.

    jarsigner -verify -verbose -certs c:\path\to\your\file.jar


  2. You will see an output that includes the line below confirming that your code was signed successfully.

    s = signature was verified

MANAGE EVERY CERTIFICATE IN A SINGLE PLATFORM WITH DIGICERT CERTCENTRAL.