ORDERING
-- Enrollment Details
-- Buy Code Signing
for Java
-- Buy Code Signing
for MS Authenticode
-- Identity Verification Process

SUPPORT/HELP
-- How to Sign Code
-- FAQs

MANAGEMENT
-- CPS


  

GeoTrust Code Signing Credentials™
for Java and Microsoft Authenticode


Frequently Asked Questions
  1. What kinds of code can I sign?
  2. How do I sign code using my GeoTrust Code Signing certificate for verification by Authenticode?
  3. How do I sign my Java applications using my GeoTrust Code Signing Credential for Sun Java?
  4. How to Generate the CSR for your Java Code Signing Certificate?
  5. Who can get a code signing certificate from GeoTrust?
  6. Will Code Signing Credentials purchased for use with Microsoft Authenticode work with the Netscape Object Signing Protocols?
  7. What is timestamping? What does it do for me?
  8. Is there an extra charge for using GeoTrust’s timestamping service?
  9. What are some troubleshooting tips if I am having trouble signing my code?
  10. Where should I store my private key?
  11. Why do I want to sign my applications?
  12. What do the safety levels mean for Internet Explorer 3.0 +?
  13. By signing my code, does that prevent it from being exported?
  14. When I tried to submit my application, I saw a message that my key pair could not be generated. What should I do?
  15. What happens if my private key is damaged, lost, stolen, or destroyed?
  16. What is the GeoTrust Timestamp URL?
1. What kinds of code can I sign?
For the Code Signing Credentials for Authenticode, developers can sign .exe, .dll, .class, .cab, .ocx (ActiveX) files for Windows.

For the Code Signing Credentials for Sun Java, developers can sign .jar (Java Applets) for Sun Java.

2. How do I sign code using my GeoTrust Code Signing certificate for verification by Authenticode?
First, you should check to see that you are running the correct versions of all the tools you are using, including:
  • Internet Explorer 3.02 or later
  • Authenticode 2.0
  • The ActiveX SDK, and Code Signing Tools.
Secondly, you need to enroll for a Code Signing Credentials for Microsoft Authenticode from GeoTrust. Go to www.geotrust.com/codesigning/java_ms_authenticode/order.htm for enrollment instructions.

When you have completed the enrollment process for a CSC for Authenticode, GeoTrust will send you an email that contains a link for you to pick up your certificate. From this link you can install your certificate by having your browser generate a private key. You should store this private key (called MyPrivateKey.pvk) on a diskette which is kept in a safe location. We recommend you make a back-up copy of this private key, as you will need this key to sign code. This key is never sent to GeoTrust, so if you lose this private key, you will be unable to sign code. If this key is lost or stolen, please contact GeoTrust immediately to have the certificate revoked.

You then need to prepare your files to be signed. You do not need to prepare your files if you are building PE files (.exe, .ocx, .dll or other). For cab files, you need to add the following entry to your .ddf file before creating the cab file: Set ReservePerCabinetSize=6144

Once you have prepared your files, follow the instructions listed on www.geotrust.com/codesigning/java_ms_authenticode/how_to.htm for signing your applications to be verified by Microsoft Authenticode.

3. How do I sign my Java applications using my GeoTrust Code Signing Credential for Sun Java?
First you need to generate a Certificate Signing Request. When you have done that you can go to enroll for a Code Signing Credential for Sun Java on the GeoTrust site. After completing the verification process, GeoTrust will issue you your certificate. You can then start signing your .jar and other Java files by following the instructions at www.geotrust.com/codesigning/java_ms_authenticode/how_to.htm.

4. How to Generate the CSR for your Java Code Signing Certificate?
Generating the Certificate Signing Request is a two-step process: first you generate the public and private key pair, and then you generate the Certificate Signing Request (CSR). The tool you need to generate the key pair and CSR is available in the Java2 SDK, which is freely available form java.sun.com.

Tool Use
keytool Generate your private & public keys. Generate your CSR


How to generate your key pair:
The command syntax is:
>keytool –genkey –keyalg rsa –alias MyAlias

In the command syntax, alias is a name will be associated with this key pair, and that you will use when generating the CSR and importing your code signing certificate.

You will be prompted to enter password to protect the private key. You will also be prompted to enter your name and information about your organization. Your name and organization information will be used in the generation of the CSR.

Example
The following example assumes you want to use the alias “CodeSigningCert” for referring to the key pair in subsequent commands.
>keytool –genkey –keyalg rsa –alias CodeSigningCert

How to generate your CSR:
The command syntax is:
>keytool –certreq –alias MyAlias –file MyCSR

MyAlias must specify the same value that you used when generating the key pair. MyCSR is a file that will contain the CSR at the completion of the command. You will copy-and-paste the CSR into a form when you application for your Java Code Signing certificate. The CSR should look similar to the following:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIBjTCB9wIBADBQMQswCQYDVQQGEwJVUzENMAsGA1UEChMEQUNNRTEfMB0GA1UE CxMWRGV2ZWxvcG1lbnQgRGVwYXJ0bWVudDERMA8GA1UEAxMISm9obiBEb2UwgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKg+t4Fj8/1OZONl79eWdchttzRfPcC+ 9oWVnS6U20hRos+NeFbbERpN/PMaArsBSkISdlbsmK7Cj5oUylOqGTzA7R+pjxOb RqgfA9mHDeiI5646rjfH3kq+77TquqjkApygb/xs3VMGpSVpbUUmIc3128Hh8ZZM bKHzCeZAlqzNAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAbTw+wC0medyyvU+j1izs fgLtbGf9ypu8W0B6/xbD2nToMhqxEwqAokgFKJFk1c6+7lDCGTj4kOF5PWmwKwWv YRgfeNahW2CNm1yxoGRwZZ/LAIZSAwCEo2BQa7GhQqM84nifi7NbzRc7Uacpzt/D 2JkjXRhuyfVLACMoeYwsuK8= -----END NEW CERTIFICATE REQUEST-----

Examples
The following example assumes you used the alias “CodeSigningCert” when creating the key pair and CSR, and the file to contain the CSR will be located in the local directory with the name “MyCSRFile”.
> keytool –certreq –alias CodeSigningCert –file MyCSRFile

5. Who can get a code signing certificate from GeoTrust?
Developers worldwide that are associated with an organization can obtain a Code Signing Credential from GeoTrust. You will need to supply a Dun & Bradstreet number or proper documentation of company registration (e.g. Articles of Incorporation). You will also need to provide an organization contact that can verify you are authorized to order a CSC for that organization.



6. Will Code Signing Credentials purchased for use with Microsoft Authenticode work with the Netscape Object Signing Protocols?
Unfortunately, no. Due to technological differences between Authenticode and Object Signing, as well as differences in the security and authentication policies of Microsoft and Netscape, developers will need to obtain separate software signing certificates if they wish to sign code for Authenticode and Object Signing. `

7. What is timestamping? What does it do for me?
It is a well established security principle that digital certificates should expire. Your GeoTrust Code Signing Credentials will expire either one, two, or three years after it is issued. However, your application code may have a longer lifetime. To avoid having to resign software every time your certificate expires, GeoTrust offers a timestamping service. How it works is, when you sign your code, a hash of your code will be sent to GeoTrust to be timestamped. As a result, when your code is downloaded, clients will be able to distinguish between:
  1. Code signed with an expired certificate, which should NOT be trusted, and
  2. Code signed with a certificate which was valid at the time the code was signed, but which has subsequently expired. This code can be trusted.

8. Is there an extra charge for using GeoTrust’s timestamping service?
No. The service is free to all developers who have a valid Code Signing Credential.

9. What are some troubleshooting tips if I am having trouble signing my code?
You can troubleshoot most problems by taking these steps:
  1. Check the Microsoft tools you are using to make sure they are the latest version, including:
    • Internet Explorer 3.02 or later
    • Authenticode 2.0
    • The ActiveX SDK, and Code Signing Tools. These are all available at http://www.microsoft.com/gallery/tools/ActiveXSDK/axsdk.asp
  2. Verify that your code signing certificate has not expired. You can check this by using the View drop down menu in Internet Explorer and then go to Options ? Security Tab ? Personal Certificates ? Select your code signing certificate and view the expiration date. If your certificate has expired you must enroll for a new Code Signing Credential from GeoTrust.
See if you are using the GeoTrust timestamping service correctly. The timestamping feature should be used from the tool called "signcode" in the code signing tools update for Authenticode. In the event that you need to specify a URL, the correct URL to hit while timestamping is

10. Where should I store my private key?
You will be prompted to select a location to store your private key when you pick up and install your code signing certificate. You should store your private key on a diskette. The extension for your private key's name is .pvk. You need your private key to use your code signing certificate. It should be kept secret and by putting it on a secure device like a diskette, you can keep it in a secure place until you need to use it.

11. Why do I want to sign my applications?
By signing your applications to be delivered over the Internet, you add a layer of confidence for your customers by assuring them of the authenticity of the author and that your code has not been tampered with or changed. Users can see the information included in your GeoTrust code signing certificate, including your organization name, location, country, and Digital ID identification. However, by signing your applications, you do not encrypt the software itself.

12. What do the safety levels mean for Internet Explorer 3.0 +?
Internet Explorer allows end users a broad range of options for using Authenticode. Through the safety levels found under the Security tab in the Options menu, end users can decide how Internet Explorer should treat potentially unsafe code - that is, code that doesn't have a valid software publisher certificate associated with it.

The default setting of "high" means that Internet Explorer will not allow end users to download potentially unsafe code, but does give end users the option of downloading software components that have a valid signature. It is recommend that users keep their safety settings at "high." However, if expert users feel safe visiting their favorite Web sites or are in a corporate environment that is not connected to the Internet, they might switch this safety level to "medium," so that Internet Explorer will notify them of potentially unsafe code, but let them download it nevertheless. At a safety setting of "none," Internet Explorer will not notify users of potentially unsafe code; this setting is not recommended under any circumstances.

13. By signing my code, does that prevent it from being exported?
No, signing software with a does not introduce any export control considerations.

14. When I tried to submit my application, I saw a message that my key pair could not be generated. What should I do?
If your key pair could not be generated, it is due to an incompatibility among the versions of dll files installed on your computer. To correct this, install the latest version of Microsoft Internet Explorer 4.0 or later.

15. What happens if my private key is damaged, lost, stolen, or destroyed?
If your private key is lost or stolen, contact GeoTrust immediately to revoke your existing code signing credential and get a new one.

16. What is the GeoTrust Timestamp URL?
GeoTrust Authenticode code signing certificates include a free timestamp service. The URL to connect to the timestamp server is: http://www.trustcenter.de/codesigning/timestamp.

 
 

Privacy Policy  |  Site Map  |  Contact Us  |  Home
© 2005 GeoTrust, Inc. All Rights Reserved