Working with CA Signed certificates.

- Generate a Private with a self-signed certificate for code signing

keytool -genkey -alias code_signing -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 730 -keystore myStore.p12 -storetype pkcs12 -storepass env:kpwd -dname "CN=CodeSigning" -ext KU="digitalSignature" -ext EKU="codeSigning"

- List contents of my newly created keystore.

keytool -list -keystore myStore.p12 -storetype pkcs12 -storepass env:kpwd -v

- Generate a certificate request.

keytool -certreq -keystore myStore.p12 -storetype pkcs12 -storepass env:kpwd -alias code_signing -sigalg sha256WithRSA -file codesigning.csr

- Bring the generated CSR onto the machine with an OpenSSL CA

scp hashi@akaza:keyStores/code_signing.csr .

- Sign the CSR using OpenSSL CA.

openssl ca -config myCA/myIssuing/myIssuing.cnf -extensions code_signing -days 730 -notext -md sha256 -in code_signing.csr -out code_signing.cer

- Pass the signed certificate to the machine that has the keystore.

scp code_signing.cer hashi@akaza:keyStores/

> There are three ways to import the signed certificate into a keystore.

1. By using PFB bundle.

Generate a p7b file

openssl crl2pkcs7 -nocrl -certfile myRoot.cer -certfile myIssuing.cer -certfile code_signing.cer -out code_signing.p7b

Import certificates from the p7b file into the keystore.

keytool -importcert -keystore myStore.p12 -storetype pkcs12 -storepass env:kpwd -alias code_signing -file code_signing.p7b

2. Manually import all certificates.

When manually importing a certificate, you must start from the root, followed by the issuers and the issued certificate.

keytool -importcert -alias myIssuing -keystore myStore.p12 -storetype pkcs12 -storepass env:kpwd -file myIssuing.cer
keytool -importcert -alias myRoot -keystore myStore.p12 -storetype pkcs12 -storepass env:kpwd -file myRoot.cer
keytool -importcert -keystore myStore.p12 -storetype pkcs12 -storepass env:kpwd -alias code_signing -file code_signing.cer

3. Add CA certificates into cacerts (TrustStore of Java) and then import the signed certificates.

sudo keytool -importcert -alias myRoot -keystore /opt/java/jdk1.8.0_333/jre/lib/security/cacerts -file myRoot.cer
sudo keytool -importcert -alias myIssuing -keystore /opt/java/jdk1.8.0_333/jre/lib/security/cacerts -file myIssuing.cer
keytool -importcert -keystore myStore.p12 -storetype pkcs12 -storepass env:kpwd -alias code_signing -file code_signing.cer -trustcacerts