How to Sign a Jar with a Valid Certificate
If you want to publish your signed JARs, you probably need a 'real' certificate from a trusted certificate authority (CA) such as VeriSign or Thawte (more). Otherwise the user will see warnings or may even be unable to install the JAR, depending on the JAR's purpose and the user's privileges.
The exact process of how to get the certificate depends on the certificate authority you decide for. So the first step is to find a CA on the web. A few suggested CAs are VeriSign, Thawte and Certum (more). The product that you are looking for is called something like 'Code Signing Certificate for Java'. Be aware that certificates cost roughly between 100 USD/EUR and 500 USD/EUR per year, depending on the CA.
Once you have decided for a CA, just follow their instructions. Usually, getting the certificate works like this:
- You create a key (exactly as you would for a self-signed certificate, described in the previous how-to)
- You use keytool to create a CSR file and send this file to the CA
- The CA somehow identifies you. This step will either involve some paper work, or you may have to visit one of the CAs offices with an id card.
- The CA sends you a certificate to import into your keystore (more).
Once you're done, you can sign JARs with the certiciate as you would sign with a self-signed certificate (see previous How-To).
