Create your own Certificate Authority
- Largely borrowed from
- http://w.csie.org/~piaip/docs/CreateMozApp/mozilla-chp-12-sect-5.html but updated where those instructions didn't work for me.
- Used Network Security Service tools version 3.11.5 with work around for
bad installation on Ubuntu which means you must link the nss directory into whereever you run signtool from:
ln -s /usr/lib/nss .
Create the certificate authority root:
mkdir ~/signingdir certutil -S -s "CN=mysite.org, O=mysite.org" -n "mysite.org" -t ",,C" -x -d ~/signingdir -1 -2 -5 Generating key. This may take a few moments... 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish 5 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish 9 Is this a critical extension [y/N]? n Is this a CA certificate [y/N]? y Enter the path length constraint, enter to skip [<0 for unlimited path]: Is this a critical extension [y/N]? n 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 7 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 9 Is this a critical extension [y/N]? n
Save this for later:
certutil -L -d ~/signingdir -n "mysite.org" -a -o mysite.org.cacert
Create the signing certificate authority:
certutil -S -n "certs.mysite.org" -s "CN=certs.mysite.org, O=certs.mysite.org" -c "mysite.org" -v 96 -t ",,C" -d ~/signingdir -1 -2 -5 Generating key. This may take a few moments... 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish 5 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish 9 Is this a critical extension [y/N]? n Is this a CA certificate [y/N]? y Enter the path length constraint, enter to skip [<0 for unlimited path]: Is this a critical extension [y/N]? n 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 7 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 9 Is this a critical extension [y/N]? n
- Export this so that it can be imported as an authority by anyone willing to
trust your signing authority:
certutil -L -d ~/signingdir -n "certs.mysite.org" -a -o certs_mysite_org.cacert
Generate a signing certificate for a particular user:
certutil -S -n "certs.mysite.org/me" -s "CN=certs.mysite.org/me, O=certs.mysite.org" -c "certs.mysite.org" -v 96 -t ",,C" -d ~/signingdir -1 -2 -5 Generating key. This may take a few moments... 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish 0 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish 5 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish 9 Is this a critical extension [y/N]? n Is this a CA certificate [y/N]? n Enter the path length constraint, enter to skip [<0 for unlimited path]: Is this a critical extension [y/N]? n 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 3 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish 9 Is this a critical extension [y/N]? n
Export with pk12util:
pk12util -o me.pk12 -n "certs.mysite.org/me" -d ~/signingdir
Now that we can make a completely separate signing data base that imports just the public certificate authority and the signed certificate:
certutil -N -d . pk12util -i me.pk12 -n "certs.mysite.org/me" -d . certutil -A -n "certs.mysite.org" -t "u,u,Cu" -i ~/signingdir/certs_mysite_org.cacert -d .
Now you can sign jars as follows:
signtool -d . -p password -k "certs.mysite.org/me" -Z chrome_access_signed.jar chrome_access_signed