Signing a jar file with trusted certificate for JWS deployment

I think I finally managed to do it following this procedure:

• Installed the certificate provided by Certum in Chrome through their web site interface
• Exported the private key as a .pfx from Chrome (Settings, Manage certificates, Export, Export the private key, PKCS#12, ...)
• Used KeyTool GUI (java fronted GUI for keytools) to create a complete p12: imported Certum root certificate as a trusted certificate, imported intermediate certificates as trusted certificates, imported my .pfx as a key pair
• Signed the jar with this p12

Seems to work for me, I'm waiting for other users feedback to be sure that it works for them also.

Edit: I tried again to export the certificate from Chrome, and I saw that there's an option to include the certificate chain in the export. When doing this, I don't even need to use the KeyTool GUI afterwards. I've redeployed the test version signed with this new p12 :

• Installed the certificate provided by Certum in Chrome through their web site interface
• Exported the private key as a .pfx from Chrome (Settings, Manage certificates, Export, Export the private key, PKCS#12 + include certificate chain, ...)
• Signed the jar with this p12

[Update 2017] Open Source code signing from Certum now uses a cryptographic flash card as a Private Key and must be plugged-in for certificate activation & installation, as well as for code signature. The key costs 125$ (+ shipping fee) and the 1-year certificate alone costs 40$. You can ask for a discount.

---

Here are the following steps to sign your jar file from scratch.

Instructions

Instructions in English are hard to find and not up to date. The following procedure is based on these 2 documents:

• Partial Instructions for Installation and Activation (English) - The part about file "bundle.pem" is missing.
• Complete Instructions for Installation and Activation (Polish)

Create, activate and install your certificate:

1. Go on the "Certum Certification" website in the "OpenSource Code Signing" section and order your certificate.
2. Once the cryptographic flash card is received (it took 15 days for me), plug it, install the driver and the proCertum CardManager software from the card.
3. Go to your Certum account and follow the activation process of your newly ordered certificate.

Tip: The CryptoAgent Java Web Start application runs only with a JDK (not JRE) < 9 (so, JDK 7 or 8).

4. You'll receive a mail asking for some official documents (ID card, rent bill, etc.) and an e-mail verification procedure.
5. Send the activation required documents and information. You'll receive another mail asking for installing the certificate (the verification was done within 1 hour).
6. Install the certificate on the cryptographic card following the procedure Storing the Certificate on the card (see the instructions in English, part 4)

Obtain the file "bundle.pem"

This file is mandatory for obtaining a valid certificate chain when signing your application (see the part 7.1.2 in the instructions in Polish).

Basically, it consists of concatenating in a plain text format file 1) your certificate and 2) the Certum Code Signing CA SHA2 public key.

1. Open proCertum CardManager >> Read Card >> tab Common >> Select your certificate and click "Show details"
2. Export your certificate: x509 - base-64
3. Download the Certum Code Signing CA SHA2 in PEM format (from the list of root certificates of Certum).
4. Create the text file "bundle.pem" by concatenating these 2 certificates (first your certificate and second the Certum certificate).

Sign your jar file with Jarsigner

1. Create the "provider.cfg" file as explained in the point 7.2 of the instructions in English.
2. You need the alias of your certificate (and not the owner name) to sign your jar. To obtain it execute the following command:

keytool -list -v -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "provider.cfg" -storepass "[your_pin]"

3. Once you got the alias, the provider.cfg and bundle.pem files ready, just sign your jar with the following command:

jarsigner -keystore NONE -certchain "bundle.pem" -tsa "http://time.certum.pl" -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "provider.cfg" -storepass "[your_pin]" "[your_code].jar" "[your_alias]"

Personally, I use an Ant script to sign my application jar files. See signjar task from ANT project.