Important Update!
Starting from June 1st, 2023, a new security measure is in place for code signing certificates. All code signing certificates must now be stored on hardware meeting specific security standards such as FIPS 140 Level 2, Common Criteria EAL 4+, or their equivalents.
As a result, the process of obtaining and installing certificates has changed. Certificate Authorities no longer support browser-based key generation, creating CSRs, and installing certificates on laptops or servers. Instead, if you opt for token + shipment as your code signing delivery method, the CA will handle CSR generation. Alternatively, if you prefer to use your Hardware Security Module (HSM), check the guides below or follow your HSM provider’s instructions for CSR generation.
- YubiKey 5 FIPS CSR Generation and Attestation
- Luna Network Attached HSM v7.x: CSR & Attestation Guide
The following text contains outdated information, no longer applicable to CSR generation for code signing certificates.
When you request a code signing certificate, you must provide information about yourself and your company in an encoded text file called a CSR (Certificate Signing Request). This file contains details such as your name, organization (if applicable), and email address. During CSR creation, you’ll get two files: the CSR itself, which you’ll need to provide when you enroll for the certificate, and a private key that you should keep secret and use during installation.
To generate a CSR using Keytool, ensure you have the Java Development Kit (JDK) installed on your server or computer.
How to Use Keytool to Generate a CSR
Follow the steps below to generate a CSR for a code signing certificate in Linux or Windows with the help of the Java Development Kit.
1. Create the Keystore and Key File
First, in the keystore prompt, run the command to create a keystore and key file:
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks
2. Submit Your Contact Data
Next, enter the following required CSR details:
- Enter a keystore password. Choose a secure password. Re-enter the password for confirmation.
- Submit your first and last name.
- Enter the official name of your organization. Double-check it.
- Next, enter the name of your City or Locality and the State or Province where your organization is registered.
- Enter the two-letter country code for your location.
- Once you have provided all the necessary information, you must confirm if the CN is correct. The CN should be in the format of “CompanyName or Firstname Lastname, OU=DeparmentName, O=CompanyName, L=City, ST=State, C=CountryCode.”
- Lastly, enter a password for the key.
This command will generate a Java keystore file named keystore.jks.
3. Generate the CSR Using the Keytool
To generate a CSR from your keystore, follow these simple steps:
- Open up your command prompt.
- Type in the following command:
keytool -certreq -alias server -file csr.csr -keystore keystore.jks - Hit Enter and enter your keystore password (created in step 2) when prompted.
That’s it! This command will create the CSR and private key with the .csr and .jks file extensions.
Final Steps – Complete Your Order
After you generate a CSR using keytool, copy its contents, including the header —–BEGIN NEW CERTIFICATE REQUEST—- and footer —–END NEW CERTIFICATE REQUEST—– tags, and paste them into the relevant box on your code signing vendor account. Select “Java” as your code signing certificate type and complete the enrollment process. The Certificate Authority should sign your code signing cert in one or several business days, depending on the validation type.
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
