Signing your J2ME application using Verisign and NetBeans

This was posted to the Netbeans forum a Feb, 2010 and I also sent it to Verisign. Who didn't help much in my struggles to get my application signed.

------------------------- Start

The idea here is to target your cell phones with
the correct certificate. Some phones have VeriSign Class 3,
some have just VeriSign....,

The point is just because it says VeriSign, doesn't mean your
VeriSign Class 3 certificate that accompanies your J2ME application
will work.




A .csr file is an ASCII file
csr = Certificate Signing Request

A .ks file is a binary file
ks = keystore

You can use the JAVA JDK keytool or the JAVA ME 3.0 tool mekeytool



1. Create a keystore

To generate a public/private key pair, enter the following command,
specifying a name for your keystore and an alias as well

keytool -genkey -keyalg rsa -keystore XXXX.ks -alias <alias_name>

Answer all of the questions, write them down or take a snapshot.

You will use the XXXX.ks file later when VeriSign sends back your
Class 3 CSR



2. Generate a Certificate Signing Request

keytool –certreq –file certreq.csr –keystore XXXX.ks -alias <alias_name>

File certreq.csr looks something like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtzCCASACAQAwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFzAVBgNVBAcT
............
............
............
-----END NEW CERTIFICATE REQUEST-----

3. Fill out the enrollment form with VeriSign

Paste the contents of the CSR file certreq.csr when asked.

4. Create a folder named master

Copy all of the files into master
Leave them alone and use only in case of emergency

5. A few days later you receive an EMAIL from VeriSign that you have been approved.

Your certificate OR INTERMEDIATE CA looks something like this:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCBOswggPToAMC
............
............
............
-----END NEW CERTIFICATE REQUEST-----

It's a Class 3 certificate.

Save the EMAIL to a file named verisign_class3.csr in the same
folder as your other 2 files.

Edit the file. I used PSPAD.

Delete all of the material up to the line that says
-----BEGIN NEW CERTIFICATE REQUEST-----

Make sure each line does not have any spaces at end.
Go to bottom of file.
Make sure it ends in
-----END NEW CERTIFICATE REQUEST-----

Make sure NO NEW LINE is after the END NEW CERTIFICATE line

6. Now you will IMPORT your verisign_class3.csr file into your binary
XXXX.ks file.


Use this command

keytool -import -alias <alias_name> -trustcacerts -file verisign_class3.csr -keystore XXXX.ks

The tool will prompt you for the password you created back in step 1.

If you edited and saved the verisign_class3.csr correctly, your KS file
will have grown 2-3 times its size. And the message will be:

"Certificate reply was installed in keystore"


If you did not edit the file correctly, you may get an
error like this:

"keytool error: java.security.cert.CertificateParsingException:
invalid DER-encoded certificate data"


You can always view the internals of your KS file by issuing this command:
keytool -list -v -keystore XXXX.ks


If you make a mistake check your .KS files timestamp/size and make sure you did not corrupt anything. if the timestamp/size was altered and
you got an error; then it's more than likely corrupted.

If so, simply copy your backup from the master folder and start again.


One comment about the command keytool -import.

I have seen some documents
show the -alias come before the -trustcerts. I have seen
some examples with -trustcerts before the -alias. I do know that the
one above works.

Another comment about the contents of the EMAIL. Copy/paste to
another file didn't work. Drove me crazy. Saving the contents directly
to disk and removing all lines around the BEGIN/END worked.

================

Congratulations, you're done with the certificate.

Now what?


Get the certificate into your JAD file.

1. Open up your NetBeans project
2. Highlight your project and look for properties
3. Select the Signing node
4. Check the box "Sign Distribution"
5. Click button "Open Keystore Manager"
6. Press button "Add Keystore..."
7. Select radio button "Add existing keystore"
8. Locate your XXXX.ks file with the browse button
9. Click Unlock to show the alias you entered in step 1.
10. Close the dialog window
11. Use the dropdown to select your XXXX.ks file
12. And select your alias.
13. Rebuild
14. Deploy

Note that you will be asked your password that you set up in the previous
steps above.

15. Check your JAD file, looks something like this:

MIDlet-Certificate-1-1: MIIE6z...
MIDlet-Certificate-1-2: MIIE/D...
MIDlet-Certificate-1-3: MIICPD...
MIDlet-Jar-RSA-SHA1: NPr....

Note the line
MIDlet-Permissions:

You did select the correct permissions before building?

16. Download to the phone.

17. Test it out.

------------------- End