Obtaining and installing a Java code signing certificate
Brief steps and notes

  1. First, visit your chosen CA's website.  In my case, I obtained a Comodo code signing certificate from one of their partners, K Software, for about $75 per year.  The first step was to generate a key-pair using keytool (comes with the JDK), then generate the certificate signing request document (also with keytool).  The next step was to upload the CSR, pay, and validate myself to them.  (That step took weeks.)
  2. Next, I needed to download the certificate.  Comodo's site is for this (in my case) is https://www.instantssl.com/login.html.

    Log in, then click the appropriate link to download certificate.  This was one bundle which includes my public certificate and the various CA's public certificate(s) needed to validate my certificate.  (They also sent an email with a link to https://secure.comodo.com/products/CollectCodeSigningCert, and visiting that link auto-installed the cert into my browser.)

    The certificates and key are installed in the web browser you are using, and must be exported to a file.  For Firefox (Pale Moon actually), use Tools→Options→Advanced→Certificates.  Click on "View Certificates", then select "Your Certificates".  Select your certificate, then click "Backup...".  Chose a name (I chose "comodokey") and enter a password (not "secret" or "123"!  It is important to keep this signing key secure.)  The resulting file is in PKCS12 format, and will have an extension of either ".p12" or ".pfx".  Back up this file to a safe place.  Make sure you won't lose the password either.

    (If you don't use the browser to bundle your certificates for you, you will need to import them manually into your keystore.)

  3. Next you need to import the certs from your CA into a Java keystore, so that the Java code-signing tool jarsigner can use it.  The tool for working with keys and Java keystores is keytool; like jarsigner, this tool comes with the JDK.

    I had no luck with that for some reason; I may have needed different command line arguments (I'm thinking I should have added -srcstoretype pkcs12).  I Googled and tried several variations, until I found you can create a new keystore much more easily.

    I decided to create one named "comodo.jks" (jks is for Java Key Store), but the actual name/extension doesn't matter):

    keytool -importkeystore -destkeystore comodo.jks -srcstoretype pkcs12 -srckeystore comodokey.p12

    Enter a new password to protect the whole keystore.  If that is the same as the password on the key, you won't need to enter it twice to use the key.  Otherwise, you also need to enter the password for the key.)  As usual, make sure you pick a strong password, and keep it safe.  If you lose either password, your key is unusable.  (You would probably have to delete that keystore and re-create it.)

    This procedure might work too.  First, check to see if keytool can read the .PFX (or ".p12") file:

    keytool -list -v -storetype pkcs12 -keystore file.p12

    If that works, you be able to use that file as-is with jarsigner:

    jarsigner -storetype pkcs12 -keystore file.p12 myjar.jar "myalias"

    (This procedure was not tested, as I already had my keystore setup.)

  4. After successfully creating a Java key store file containing my key and certificate, I wanted to change the key ID that Comodo picked to something shorter (one long line, wrapped here for readability):
    keytool -changealias -keystore comodo.jks
       -alias "wayne pollock's comodo ca limited id" -destalias comodoKey

It can be useful to have the key's password match the keystore's password, when there is only one key in the key store.  If they are the same, you only need to enter it once to use the key.  To change the key's password, use the following:

keytool -keypasswd -keystore comodo.jks -alias comodoKey

It is also possible to remove the password from a key, using the openssl command line tool.  For Windows, you can either install Cygwin (recommended) which includes OpenSSL, or install a Windows binary of this tool from (among other sources) https://indy.fulgan.com/SSL/.  See: serverfault.com/questions/515833/how-to-remove-private-key-password-from-pkcs12-container for details.

Finally, the key can be used to sign Java Jar files!  From now on (until the certificate expires and I need to replace it), there is only one command needed to sign Jars with this code-signing certificate/key (one long line, wrapped here for readability).  Here's the command to sign MyApp-unsigned.jar and save the result as MyApp.jar:

jarsigner -keystore comodo.jks -signedjar MyApp.jar
   -tsa http://card.aloaha.com:8081/tsa.aspx  MyApp-unsigned.jar comodoKey