česky | english

Code Signing Certificates

What do I need to get a code signing certificate from CAcert?

Individual CAcert users

For the code signing ability, you need to be an Assurer CPS 4.2.6. This means at least 100 assurance points and having passed the AssurerChallenge. Once that is done, you can send an email to support #at# cacert.org to request Code-Signing ability to be activated for your account.

Organisations and Codesigning

As of March 2008, Organisations registered with CAcert can create codesigning certificates with the name of the Organisation included in the certificate.

Once the Organisation is registered, you get the ability to do codesigning. Please see Organization Assurance Manual. For additional questions mail to : support#at#cacert.org

Obtaining a Code Signing Certificate

Prerequisites: Code-Signing ability must be activated for your account.

  1. Log into your CACert cccount
  2. Go to Client Certificate and click on [New]
  3. Check [Code Signing] and click on [Next]
  4. Request your certificate
  5. Right click on the install certificate link, choose [save as] and store your client certificate into a file

Basic Purposes of Code Signing

Code signing allows end users to authenticate You, the certificate holder who has written some code, for example, java code in a pasta.jar file.

Beware : Code Signing ≠ Security

When done properly, code signing proves the authenticity and integrity of code. However, code signing provides no guarantee of the code’s safety or reliability. So, the joke is that, at least, the end-user will know your name just before he/she let you erase all their hard disk content. ;-) See Schneier on Security for a discussion.

Java (Example)

In the Java World, the Java Virtual Machine can control all the user's machine. Yes, it can be a security issue. So, any code you can download on the internet has a limited set of abilities on your computer. Then, if you intend to use more powerful functions on the user's computer, you will have to sign the code you provide. And hope the user to trust you as a last resort !

Please see JavaCodeSigningTest

Starting with Java 5, jarsigner tool supports TimeStamping (on linux ubuntu try man jarsigner for help). So, you don't need to redeploy the application when the codesigning certificate expires. But on the other side, you need to include the certificate of the timestamp certification authority if not included in the jvm.

please see http://mindprod.com/jgloss/signedapplets.html

Examples of signed application

Simple examples :

any comment to guillaume (at) cacert.org please !

Platforms that Accept CAcert Code Signing Certificates

A code signing certificate has special attributes 1 to allow it to be accepted by applications from Microsoft, Sun, Mozilla, etc. as a code signing certificate.

However, these certificates will only work if the CAcert root cert is installed and trusted by the end-user and if the end-user agrees to execute the code.

How can I use my code signing certificate? (java example)

The code signing privilege can be added to the new email certificates you will obtain from the CAcert website.

Once you are approved, the next time you'll request an email certificate, you will find an option to include the code signing privilege.

see Richard Dallaway web start & cacert, freemail thawte code signing or better here http://www.crionics.com/products/opensource/faq/signFree.htm ( /!\ note : as of November 2009, thawte freemail program including free java codesigning has been discontinued.)

keytool -list -storetype pkcs12 -keystore keystore.p12

jarsigner -storetype pkcs12 -keystore keystore.p12 pasta.jar "guillaume frederic romagny's root ca id #2"

jarsigner -storetype pkcs12 -keystore keystore.p12 -tsa "http://time.certum.pl/" pasta.jar "guillaume romagny's root ca id"

jarsigner -verbose -verify -certs pasta.jar

How do I use my code signing certificate with Microsoft Authenticode?

In order to sign code using Microsoft Authenticode, you must break down the PKCS#12 file into the intermediate private key and PKCS#7 files that it contains in order to use it with applications supporting Authenticode. Since I have yet to see one that supports the PKCS#12 format yet I have contributed instructions in doing so. see the Authenticode wiki page for instructions.

Authenticode prefers timestamping to avoid redeployment of applications when certificate expires. https://digitalid.verisign.com/developer/help/mscs_faq.htm

Verisign timestamping service URL


More info on TimeStamping

Converting keystores

Java 1.4 can read pkcs12 format but cannot write this format. The jks Java key Store is pretty unconvenient (pkcs12 too btw). You may want to convert your keystore from jks to pkcs12. Especially when generating a Thawte Freemail code signing certificate.

see Keytool IUI based on Bouncy Castle Crypto API

Steps needed for Java developers to test a signed applet in a browser

You need to add the CAcert root certificate (and maybe the Class 3 sub-root cert) in the JVM CA certificate store. Under Linux, you'll find the command "ControlPanel" in the JRE "bin" folder (javacpl.exe under MS Windows).


Signing Mozilla XPI Packages (Firefox, Thunderbird)

You can use CAcert code signing certificates to sign Mozilla XPI packages for Mozilla applications like Firefox and Thunderbird.

Mozilla applications require a value in the Organisation field for the UI to report that the item is signed. Only Organisations registered with CAcert can do codesigning with Mozilla plug-ins. Please see OrganisationAssurance.

Individual CAcert users with codesigning ability can use the instructions below but Mozilla applications will still report the item as Unsigned. See bug 372980. Fixed in Firefox 3.5.6 & Thunderbird 3.0.1pre.

To use the CAcert certificate to sign the XPI package, you should perform the following steps:

  1. Install the code signing certificate in your browser.
  2. Extract the NSS utility binaries as outlined in Pete's instructions above.

  3. Identify your certificate database, which is usually in your profile directory. One way to identify your profile directory is to find all of the "key3.db" files in your home directory:

    • find ~ -name key3.db
  4. If you find multiple directories, then for each directory that contains a key3.db file, you should list out the certs contained there to find your new code signing certificate (it may be marked with an "*" in the first column), using the command:
    • signtool -L -d <certificate database directory>
  5. Having found the correct directory, the entry may appear as:
    • * Joe Normal's Root CA ID
  6. Following the XPI signing instructions above, extract the unsigned XPI package into a directory.
  7. Run this signtool command (this command works as of NSS 3.11.4):

    • signtool -d <the key3.db dir> -k "Joe Normal's Root CA ID"-p <password>
      -X -Z <XPI package file name> <directory-tree>
  8. Your signed XPI package <XPI package file name> will be ready.

  9. If you want to verify the signature on your package, use the following two commands:
    • signtool -v <XPI package file name>
      signtool -w <XPI package file name>

Inputs & Thoughts

Category or Categories


  1. or no special attributes at all (1)

CodesigningCert (last edited 2015-03-25 21:43:40 by EtienneRuedin)