Monday, 14 May 2007

Signing Jars with pvk

I had a little fun signing Jar files recently. I was using Comodo for my code signing certificate, which generates the CSR and private key using MSIE and xenroll - which suits me, (I once briefly ran a CA before, based on ssleay and xenroll). I exported the private key as a pvk file during the generation process.

The difficulty was getting the java keytool  to import a private key. The other difficulty was getting the secret proprietary microsoft .pvk format into a form that anything else knew about.

I got it working using pvktool to convert from pvk to pem format:

wine pvk.exe -in mykey.pvk -nocrypt -out mykey.pem 

I then used openssl to combine the key pem file with the cer file I had exported from MSIE to make a pkcs12 file:

openssl pkcs12 -export -chain -name FRIENDLYNAME -inkey mykey.pem -in mycert.cer -out all.pkcs12

The final clue was to give up using keytool to import the pkcs12 into the java keystore, but just use the pkcs12 file directly:

jarsigner -storetype pkcs12 -keystore all.pkcs12 JARFILE.JAR "FRIENDLYNAME"

For completeness I note that a pfx export from MS Windows is close enough a PKCS12 file, as is an export from Mozilla Firefox; however I wasn’t able to import the openssl generated pkcs12 file into MS IE, unless I imported it and exported through Firefox first. It may be something else I had done wrong at the same time that stopped it working otherwise/

And I’m not sure where the certificate chain came from, openssl’s root CA’s no doubt.