pf » Signing Jar Files (converting pvk to p12)

March 29, 2004

Signing Jar Files (converting pvk to p12)

We recently renewed our code signing certificate for signing java applets, this is the first year we have had to renew it, and the process is a bit different from when we generated it. When we first received the key we did it with a CSR, and the java keytool. So when their renewal process had us generate a Microsoft Authenticode pvk private key, I was a bit confused as to what to do with it. It takes a bit of work to generate a PKCS12 file that java's jarsigner can use, so I'm blogging this so I will remember what to do next year, and also to help out anyone else in this situation.

You will need two files:

pvk file (generated by IE, and stored in c:\mykey.pvk by default)
spc file (the cert)

Now to generate a PKCS12 pfx file you need Microsoft's pvkimprt tool (If I could have found this tool sooner, I could have saved myself a lot of time playing with openssl, and the ported pvk tool!). So install and run the tool:

pvkimprt c:\mycert.spc c:\mykey.pvk

Import it into your personal keystore, so we can export it as a pfx file:

Start-Run: mmc.exe
Add Snapin: Certificates
Properties: Add a friendly name to the cert (this will be the alias)
Export a pfx file

Now that you have your pfx file, your going to need to guess what import and export it again (the docs state that the pfx file will only work on jdk 1.4, I had no luck, so I generated a p12 file as shown below).

Open up Netscape/Mozilla/Firefox Certificate Manager (Tools-Options-Advanced-Certificates in Firefox)
Import your pfx file
Export a p12 file

And after that process you will have a certificate you can use to sign jar files, and possibly start your own import/export business.

Here's the KB article from Thawte, that had I been able to find on my own would have saved me lots of time: http://kb.thawte.com/thawte/thawte/esupport.asp?id=vs26925

And here's the ant task I use to sign jar files:

<target name="signjar" depends="jar">
 <input
    message="Please enter keystore password:"
    addproperty="keypass" />
	
 <signjar jar="${lib}/yourJar.jar" storetype="pkcs12"
   keystore="${keystore}/yourkey.p12" alias="Your Alias" 
   storepass="${keypass}"/>
</target>

This process should be a lot easier, I always hate dealing with certificates. I must say however that aside from having a name I can neither pronounce, nor spell consistently Thawte has always been helpful when I contact them.

Permalink | Add Comment |

add to del.icio.us | Tags: crypto, jar, java, signing, certificates

Related Entries

Signing and Encypting Email - April 27, 2004
Making Jar files Run - November 14, 2003
Moving SSL Certs from IIS to Apache - August 27, 2003

12 people found this page useful, what do you think?

Trackbacks

Trackback Address: 117/513CA5DF8C84F57B9EAF7321D772CC15

Comments

On 04/14/2004 at 3:34:28 AM MDT Anonymous wrote:

HAI

On 09/17/2004 at 2:48:35 PM MDT DJH wrote:

Thanks for this. Had a similar problem today and wasted a lot of time trying to create pkcs12 files with openssl. Wish I'd have come across this blog entry sooner...

On 10/21/2004 at 10:43:35 PM MDT TRC wrote:

Absolutely fantastic post - saved alot of time.

Just out of interest - under 1.4.2_05 the ant script works fine - under 1.3.1_12 it fails with:

[signjar] Signing JAR: C:\work\test.jar [signjar] jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: pkcs12 not found

Has anyone seen/solved this issue?

On 11/01/2004 at 6:35:15 PM MST Jay wrote:

If you try to do this and get a weird error about "Password is not in the correct format" when running pvkimprt then you are using WinXP or later and you pvk & spc files were generated on 2000 or earlier. All you need to do is use a 2000 or earlier box to create the PFX file.

On 11/01/2004 at 6:36:11 PM MST Jay wrote:

I'm sorry the exact error message is: "The format of the specified password is invalid."

On 03/28/2005 at 4:54:26 PM MST pzarecta wrote:

I tried using a pkcs12 keystore on java 1.3.0 and it doesn't like it. It seems that the pkcs12 keystore type doesn't come by default.

However, I did find a way to import a pkcs12 store into a jks store. You will need java 1.4 to perform the operation, but the resulting keystore is 1.3 compatible.

http://java.sun.com/webservices/docs/1.4/tutorial/doc/XWS-Security7.html

On 04/15/2005 at 6:26:38 PM MDT Richard J. Pennenga wrote:

Very useful - and comforting since i thought i was the only one who thought the process had changed out from under me! Thanks for recording this.

On 01/26/2006 at 11:14:54 PM MST Yuriy wrote:

Thanks, that's very helpful

On 04/26/2006 at 12:12:05 PM MDT Vivek wrote:

Thanks here is what I did:

0. You should have a .spc(Certificate) file and a .pvk(Key) file 1. Download pvkimprt.exe from http://office.microsoft.com/downloads/2000/pvkimprt.aspx 2. To generate a .pfx file run: pvkimprt -PFX <spc-file> <pvk-file> type in the password and give a pathname 3. Import this file from Firefox 4. Export the certificate from Firefox to a .p12 file 5. This file can be used with jarsigner 6. We also need to know the alias of the .p12 file, so copy the .p12 file to the Java bin directory and run: keytool -list -storetype pkcs12 -keystore mycert-p12.p12 7. type in the password 8. Then you will see output like this:

Keystore type: pkcs12 Keystore provider: SunJSSE

Your keystore contains 1 entry

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, Apr 26, 2006, keyEntry, Certificate fingerprint (MD5): hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh

9. The xxxx-xxx... number is the alias for the key

10. to sign a jar do:

jarsigner -storetype pkcs12 -keystore mycert-p12.p12 myjar.jar "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"

On 06/14/2006 at 12:51:21 AM MDT Dave wrote:

Thanks! 2 years later this is still more helpful than Thawte's docs on this.

On 07/21/2006 at 6:47:54 PM MDT Amanda wrote:

pvkimprt didn't work on my XP PC. http://www.verisign.com/support/code-signing-support/code-signing/identity-authentication.html Download the Windows Core SDK use pvk2pfx -pvk myprivatekey.pvk -spc mycredentials.spc -pfx output.pfx

On 08/17/2006 at 7:58:14 PM MDT ThirtyOne wrote:

Thanks for a great article. I have spent a couple of days researching this and your article seemed to fill in the missing pieces.

I used these instructions and TJ's to sign XPI files for firefox.

On 10/09/2006 at 12:33:03 PM MDT B wrote:

Thank you! You probably saved me hours of noodling and fretting. I've been trying, and trying, to get SSL Explorer installed with an existing IIS key, and your "run it through Mozilla" trick saved the day! Thanks!

On 11/27/2006 at 1:09:59 PM MST antoine wrote:

How to generate the pvk file ?

On 05/02/2007 at 2:36:53 PM MDT JWill wrote:

This was a great article, saved me a fair amount of time. Our signing process is invoked using Ant as well.

On 03/17/2008 at 10:53:37 AM MST Dave wrote:

Thanks very much for this article. Even after 4 years most everything is still valid. The only thing I for which I had to go hunting was the pvkimprt tool. you can find it here: http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=EN

Thanks again!