History for Create your own Certificate Authority
changed:
-
Largely borrowed from
http://w.csie.org/~piaip/docs/CreateMozApp/mozilla-chp-12-sect-5.html
but updated where those instructions didn't work for me.
Used Network Security Service tools version 3.11.5 with work around for
bad installation on Ubuntu which means you must link the nss directory
into whereever you run signtool from::
ln -s /usr/lib/nss .
Create the certificate authority root::
mkdir ~/signingdir
certutil -S -s "CN=mysite.org, O=mysite.org" -n "mysite.org"
-t ",,C" -x -d ~/signingdir -1 -2 -5
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
5
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]:
Is this a critical extension [y/N]?
n
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
7
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/N]?
n
Save this for later::
certutil -L -d ~/signingdir -n "mysite.org" -a -o mysite.org.cacert
Create the signing certificate authority::
certutil -S -n "certs.mysite.org" -s "CN=certs.mysite.org, O=certs.mysite.org" -c "mysite.org" -v 96 -t ",,C" -d ~/signingdir -1 -2 -5
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
5
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]:
Is this a critical extension [y/N]?
n
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
7
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/N]?
n
Export this so that it can be imported as an authority by anyone willing to
trust your signing authority::
certutil -L -d ~/signingdir -n "certs.mysite.org" -a -o certs_mysite_org.cacert
Generate a signing certificate for a particular user::
certutil -S -n "certs.mysite.org/me" -s "CN=certs.mysite.org/me, O=certs.mysite.org" -c "certs.mysite.org" -v 96 -t ",,C" -d ~/signingdir -1 -2 -5
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
0
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
5
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
n
Enter the path length constraint, enter to skip [<0 for unlimited path]:
Is this a critical extension [y/N]?
n
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
3
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
9
Is this a critical extension [y/N]?
n
Export with pk12util::
pk12util -o me.pk12 -n "certs.mysite.org/me" -d ~/signingdir
==================================================================
Now that we can make a completely separate signing data base that imports just the public
certificate authority and the signed certificate::
certutil -N -d .
pk12util -i me.pk12 -n "certs.mysite.org/me" -d .
certutil -A -n "certs.mysite.org" -t "u,u,Cu" -i ~/signingdir/certs_mysite_org.cacert -d .
Now you can sign jars as follows::
signtool -d . -p password -k "certs.mysite.org/me" -Z chrome_access_signed.jar chrome_access_signed
Forgot your password?
New user?