keytool (comes
with the JDK), then generate the certificate signing request
document (also with keytool).
The next step was to upload the CSR, pay, and validate myself to
them.
(That step took weeks.)
Log in, then click the appropriate link to download certificate. This was one bundle which includes my public certificate and the various CA's public certificate(s) needed to validate my certificate. (They also sent an email with a link to https://secure.comodo.com/products/CollectCodeSigningCert, and visiting that link auto-installed the cert into my browser.)
The certificates and key are installed in the web browser you are using,
and must be exported to a file.
For Firefox (Pale Moon actually), use Tools→Options→Advanced→Certificates.
Click on "View Certificates", then select "Your Certificates".
Select your certificate, then click "Backup...".
Chose a name (I chose "comodokey") and enter a password (not "secret" or
"123"!
It is important to keep this signing key secure.)
The resulting file is in PKCS12 format, and will have an extension
of either ".p12" or ".pfx".
Back up this file to a safe place.
Make sure you won't lose the password either.
(If you don't use the browser to bundle your certificates for you, you will need to import them manually into your keystore.)
jarsigner
can use it.
The tool for working with keys and Java keystores is keytool;
like jarsigner, this tool comes with the JDK.
I had no luck with that for some reason; I may have needed different
command line arguments (I'm thinking I should have added
-srcstoretype pkcs12).
I Googled and tried several variations, until I found you can create a new
keystore much more easily.
I decided to create one named "comodo.jks"
(jks is for Java Key Store),
but the actual name/extension doesn't matter):
keytool -importkeystore -destkeystore comodo.jks -srcstoretype pkcs12 -srckeystore comodokey.p12
Enter a new password to protect the whole keystore. If that is the same as the password on the key, you won't need to enter it twice to use the key. Otherwise, you also need to enter the password for the key.) As usual, make sure you pick a strong password, and keep it safe. If you lose either password, your key is unusable. (You would probably have to delete that keystore and re-create it.)
keytool -changealias -keystore comodo.jks -alias "wayne pollock's comodo ca limited id" -destalias comodoKey
It can be useful to have the key's password match the keystore's password, when there is only one key in the key store. If they are the same, you only need to enter it once to use the key. To change the key's password, use the following:
keytool -keypasswd -keystore comodo.jks -alias comodoKey
It is also possible to remove the password from a key, using the
openssl command line tool.
For Windows, you can either install
Cygwin (recommended) which includes
OpenSSL, or install a Windows binary of this tool
from (among other sources) https://indy.fulgan.com/SSL/.
See: serverfault.com/questions/515833/how-to-remove-private-key-password-from-pkcs12-container
for details.
Finally, the key can be used to sign Java Jar files!
From now on (until the certificate expires and I need to replace it),
there is only one command needed to sign Jars with this code-signing
certificate/key (one long line, wrapped here for readability).
Here's the command to sign MyApp-unsigned.jar and save the
result as MyApp.jar:
jarsigner -keystore comodo.jks -signedjar MyApp.jar -tsa http://card.aloaha.com:8081/tsa.aspx MyApp-unsigned.jar comodoKey