Internet Explorer
Microsoft, as usual, has come up with entirely new solutions to the problem of code signing. It uses its own archive format and a set of code-signing tools based around the Microsoft CryptoAPI.
Recipe
You’ll have to install two pieces of software to sign code for Internet Explorer. First, you’ll need the browser, Internet Explorer 4.0, available from http://www.microsoft.com/ie/ie40/. For the archive and code-signing tools, you’ll need the SDK for Java 2.0, available from http://www.microsoft.com/java/.
Prepare a Signer
Microsoft’s tools allow you to create a test certificate that you can use for signing. This means you can experiment with signed applets without shelling out $20 for a real certificate. If you want to sign code with a real certificate, you can buy one from VeriSign (http://www.verisign.com/).
To create a test certificate, you can use tools that are installed as part of the SDK for Java, in the SDK-Java.20\Bin\PackSign directory:
MakeCert -sk JonathanKey -n CN=JonathanCompany Jonathan.cert
This creates a certificate file called
Jonathan.cert. It uses the secret key called
JonathanKey
. If there is no such key,
MakeCert
creates one. This key is stored in a
private key management database and can be accessed later. The
-n
option is used to specify what name is placed
on the newly created certificate. You need a
Software Publisher Certificate (SPC) to
sign code. The SDK for Java has a handy utility that converts a
certificate into an SPC:
Cert2SPC Jonathan.cert ...
Get Java Cryptography now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.