Internet Explorer

Microsoft, as usual, has come up with entirely new solutions to the problem of code signing. It uses its own archive format and a set of code-signing tools based around the Microsoft CryptoAPI.

Recipe

You’ll have to install two pieces of software to sign code for Internet Explorer. First, you’ll need the browser, Internet Explorer 4.0, available from http://www.microsoft.com/ie/ie40/. For the archive and code-signing tools, you’ll need the SDK for Java 2.0, available from http://www.microsoft.com/java/.

Prepare a Signer

Microsoft’s tools allow you to create a test certificate that you can use for signing. This means you can experiment with signed applets without shelling out $20 for a real certificate. If you want to sign code with a real certificate, you can buy one from VeriSign (http://www.verisign.com/).

To create a test certificate, you can use tools that are installed as part of the SDK for Java, in the SDK-Java.20\Bin\PackSign directory:

MakeCert -sk JonathanKey -n CN=JonathanCompany Jonathan.cert

This creates a certificate file called Jonathan.cert. It uses the secret key called JonathanKey. If there is no such key, MakeCert creates one. This key is stored in a private key management database and can be accessed later. The -n option is used to specify what name is placed on the newly created certificate. You need a Software Publisher Certificate (SPC) to sign code. The SDK for Java has a handy utility that converts a certificate into an SPC:

Cert2SPC Jonathan.cert ...

Get Java Cryptography now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.