Third-Party Certificates
Figures B-6 and B-12 show the problem with using self-signed certificates in an application: JWS issues a scary message. The solution is to replace the certificate by one generated by a trusted third party: a CA. Popular CAs include Verisign (http://www.verisign.com/), Thawte (http://www.thawte.com/), and Entrust (http://www.entrust.com). These companies charge money for their services, but a free alternative is CACert.org (https://www.cacert.org/).
Beefing up the certificate for a keypair consists of the following steps:
Extract a Certificate Signing Request (CSR) from the keypair.
Send the CSR to the CA, requesting a certificate.
After checking the returned certificate, import it into the keystore, replacing the keypair's self-signed certificate.
Start signing JARs with the keypair.
Extract a CSR
Generate a CSR with the -certreq option to keytool:
keytool -certreq -keystore MyKeyStore -alias BugRunner -file BugRunner.csr
This generates a CSR for the BugRunner keypair, stored in BugRunner.csr, a text file of this form:
-----BEGIN NEW CERTIFICATE REQUEST----- MIICoDCCAl4C..... // many more lines ..... -----END NEW CERTIFICATE REQUEST-----
Request a Certificate
The CSR is sent to the CA, usually by pasting its text into a web form accessed via a secure link (a https URL). At CACert.org, this step requires some preliminary work. The users must first join the free CACert.org and send in details about the web domain that they control. This information is checked with ...