How to create a Java keystore for plugin signing the easy way

Mikkel Flindt HeisterbergOnTime by IntraVision

Create the keystore• Use iKeyMan to create the keysore– <Notes>\jvm\bin\ikeyman.exe i.e. C:\Notes8\jvm\

bin\ikeyman.exe• Create keystore of

type JCEKS and specify a password for the keystore

• Note the directory where you create the keystore

Create self-signed certificate• In ”Personal Certificates” click ”New Self-

Signed...” and fill in the fields. • Make sure to adjust the

validity perido of the certificate

• Note the ”Key Label” you specify (here it’s”signerkey”)

• Exit iKeyman

Verify keystore• In a DOS prompt use the KeyTool from the JDK

to verify the keystore– If you haven’t got a JDK installed use the one

installed with Notes (<Notes>\jvm\bin\keytool.exe)

• C:\Notes8\jvm\bin\keytool.exe -keystore keystore.jck -storetype jceks -list -v

Verify keystore

Export certificate• Now export the certificate that is the

certificate to verify jar-file signatures– Again using the keytool as before– This creates mycert.der which is the file you

import into Domino Directory

• C:\Notes8\jvm\bin\keytool.exe -keystore keystore.jck -storetype jceks –export –file mycert.der –alias signerkey

Export certificate

Import the certificate in Domino

Import the certificate in Domino

Import the certificate in Domino

Import the certificate in Domino

Trust• Next steps are to– Cross certify the imported internet certificate with

your a Notes certifier– Use policies (Security settings) to broadcast the

internet certificate and cross certification of the internet certificate to Notes clients

– The option is on the ”Keys and Certificates” tab under ”Administrative Trust Defaults”

Sign jar-file using keystore• You sign jar-files using the jarsigner.exe tool

from the JDK– Again you can use the one installed with the Notes

JVM if need be

• C:\Notes8\jvm\bin\jarsigner.exe -keystore keystore.jck -storetype jceks –signedjar signed.jar myfile.jar signerkey

Sign jar-file using keystore