Code signing
Java Jarsigner

Assign the key pair to a certificate and apply an issuance policy

2min

You must complete the tasks in this section in the CryptoHub UI to enable the PKCS #11 library to find the key pair generated by using Java keytool in the previous section. This process involves creating a certificate object from the key pair and assigning it an issuance policy.

1 | Create a new certificate object from the key pair

1

Log in to the under dual control with your administrator identities.

2

Go to PKI and CA > PKI Signing Approvals.

3

Select [ Add Approval Group ] at the bottom of the page or right-click the window background and select Add Approval Group.

4

Enter a name for the approval group and select [ OK ].

5

Right-click the new approval group and select Permission.

6

Select the Java Jarsigner role in the drop-down menu and select [ Add ]. Then, grant the role the Use permission and select [ Save ].

7

Go to PKI and CA > Certificate Management.

8

Select [ Add CA ] at the bottom of the page or right-click the window background and select Add CA.

9

Enter a name for the X.509 certificate container and change the Owner group to the Java Jarsigner service role. Then, select [ OK ].

10

Right-click the new X.509 certificate container and select Add Certificate > From Private Key.

11

Select the private key you created by using Java keytool in the previous section and select [ OK ].

12

In the Subject DN tab, make the following changes:

  • Preset: Select Classic.
  • Common Name: Enter any name.
13

In the Basic Info tab:

  • Leave set all default values.
14

In the V3 Extensions tab:

  • Select the Code Signing Certificate Profile
15

Select [ OK ].

Apply an issuance policy to the Java Jarsigner code signing certificate

1

Right-click the Java Jarsigner code signing certificate and select Issuance Policy > Add.

2

In the Basic Info tab, make the following changes:

  • Approvals: Select 0.
  • Allowed hashes: Select SHA-384.
3

In the X.509 tab, make the following change:

  • Default approval group: Select the approval group you created.
4

In the Object Signing tab, make the following change:

  • Allow object signing: Select the checkbox to enable.
5

Select [ OK ].