keytool(comes with the JDK), then generate the certificate signing request document (also with
keytool). The next step was to upload the CSR, pay, and validate myself to them. (That step took weeks.)
Log in, then click the appropriate link to download certificate. This was one bundle which includes my public certificate and the various CA's public certificate(s) needed to validate my certificate. (They also sent an email with a link to https://secure.comodo.com/products/CollectCodeSigningCert, and visiting that link auto-installed the cert into my browser.)
The certificates and key are installed in the web browser you are using,
and must be exported to a file.
For Firefox (Pale Moon actually), use Tools→Options→Advanced→Certificates.
Click on "View Certificates", then select "Your Certificates".
Select your certificate, then click "Backup...".
Chose a name (I chose "comodokey") and enter a password (not "secret" or
It is important to keep this signing key secure.)
The resulting file is in PKCS12 format, and will have an extension
of either "
.p12" or "
Back up this file to a safe place.
Make sure you won't lose the password either.
(If you don't use the browser to bundle your certificates for you, you will need to import them manually into your keystore.)
jarsignercan use it. The tool for working with keys and Java keystores is
jarsigner, this tool comes with the
I had no luck with that for some reason; I may have needed different
command line arguments (I'm thinking I should have added
I Googled and tried several variations, until I found you can create a new
keystore much more easily.
I decided to create one named "
(jks is for Java Key Store),
but the actual name/extension doesn't matter):
keytool -importkeystore -destkeystore comodo.jks -srcstoretype pkcs12 -srckeystore comodokey.p12
Enter a new password to protect the whole keystore. If that is the same as the password on the key, you won't need to enter it twice to use the key. Otherwise, you also need to enter the password for the key.) As usual, make sure you pick a strong password, and keep it safe. If you lose either password, your key is unusable. (You would probably have to delete that keystore and re-create it.)
This procedure might work too.
First, check to see if
keytool can read the
.PFX (or ".p12") file:
keytool -list -v -storetype pkcs12 -keystore file.p12
If that works, you be able to use that file as-is with
jarsigner -storetype pkcs12 -keystore file.p12 myjar.jar "myalias"
(This procedure was not tested, as I already had my keystore setup.)
keytool -changealias -keystore comodo.jks -alias "wayne pollock's comodo ca limited id" -destalias comodoKey
It can be useful to have the key's password match the keystore's password, when there is only one key in the key store. If they are the same, you only need to enter it once to use the key. To change the key's password, use the following:
keytool -keypasswd -keystore comodo.jks -alias comodoKey
It is also possible to remove the password from a key, using the
openssl command line tool.
For Windows, you can either install
Cygwin (recommended) which includes
OpenSSL, or install a Windows binary of this tool
from (among other sources) https://indy.fulgan.com/SSL/.
Finally, the key can be used to sign Java Jar files!
From now on (until the certificate expires and I need to replace it),
there is only one command needed to sign Jars with this code-signing
certificate/key (one long line, wrapped here for readability).
Here's the command to sign
MyApp-unsigned.jar and save the
jarsigner -keystore comodo.jks -signedjar MyApp.jar -tsa http://card.aloaha.com:8081/tsa.aspx MyApp-unsigned.jar comodoKey