Forgot your password?
New user?
Views
Create your own Certificate Authority copied.
FrontPage
>>
Peters notes
>>
Code Signing
>>
Guide to signing applications
>>
Create your own Certificate Authority
last edited 4 years ago by blackett
Largely borrowed from http://w.csie.org/~piaip/docs/CreateMozApp/mozilla-chp-12-sect-5.html but updated where those instructions didn't work for me.
Used Network Security Service tools version 3.11.5 with work around for bad installation on Ubuntu which means you must link the nss directory into whereever you run signtool from:
ln -s /usr/lib/nss .
Create the certificate authority root:
mkdir ~/signingdir
certutil -S -s "CN=mysite.org, O=mysite.org" -n "mysite.org"
-t ",,C" -x -d ~/signingdir -1 -2 -5
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
5
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]:
Is this a critical extension [y/N]?
n
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
7
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/N]?
n
Save this for later:
certutil -L -d ~/signingdir -n "mysite.org" -a -o mysite.org.cacert
Create the signing certificate authority:
certutil -S -n "certs.mysite.org" -s "CN=certs.mysite.org, O=certs.mysite.org" -c "mysite.org" -v 96 -t ",,C" -d ~/signingdir -1 -2 -5
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
5
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]:
Is this a critical extension [y/N]?
n
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
7
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/N]?
n
Export this so that it can be imported as an authority by anyone willing to trust your signing authority:
certutil -L -d ~/signingdir -n "certs.mysite.org" -a -o certs_mysite_org.cacert
Generate a signing certificate for a particular user:
certutil -S -n "certs.mysite.org/me" -s "CN=certs.mysite.org/me, O=certs.mysite.org" -c "certs.mysite.org" -v 96 -t ",,C" -d ~/signingdir -1 -2 -5
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
0
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
5
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
n
Enter the path length constraint, enter to skip [<0 for unlimited path]:
Is this a critical extension [y/N]?
n
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
3
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/N]?
n
Export with pk12util:
pk12util -o me.pk12 -n "certs.mysite.org/me" -d ~/signingdir
==================================================================
Now that we can make a completely separate signing data base that imports just the public certificate authority and the signed certificate:
certutil -N -d .
pk12util -i me.pk12 -n "certs.mysite.org/me" -d .
certutil -A -n "certs.mysite.org" -t "u,u,Cu" -i ~/signingdir/certs_mysite_org.cacert -d .
Now you can sign jars as follows:
signtool -d . -p password -k "certs.mysite.org/me" -Z chrome_access_signed.jar chrome_access_signed