Application Packaging Developer's Guide

How to Import the Certificates Into the Package Keystore

The certificate and private key to be imported must exist as a PEM- or DER-encoded X.509 certificate and private key. In addition, any intermediate or “chain” certificates linking your signing certificate to the Certificate Authority certificate must be imported into the package keystore before a package can be signed.


Note –

Each Certificate Authority can issue certificates in various formats. To extract the certificates and private key out of the PKCS12 file and into a PEM-encoded X.509 file (suitable for importing into the package keystore), use a freeware conversion utility such as OpenSSL.


If your private key is encrypted (which should usually be the case), you are prompted for the passphrase. Also, you are prompted for a password to protect the resulting package keystore. You can optionally not supply any password, but doing so results in an unencrypted package keystore.

The following procedure describes how to import the certificates using the pkgadm command once the certificate is in the proper format.

  1. Import all the Certificate Authority certificates found in your PEM- or DER-encoded X.509 certificate file.

    For example, to import all the Certificate Authority certificates found in the file ca.pem, you would type the following:



    $ pkgadm addcert -k ~/mykeystore -ty ca.pem
    

    The output would appear similar to the following:


    Trusting certificate <VeriSign Class 1 CA Individual \
    Subscriber-Persona Not Validated>
    Trusting certificate </C=US/O=VeriSign, Inc./OU=Class 1 Public \
    Primary Certification Authority
    Type a Keystore protection Password.
    Press ENTER for no protection password (not recommended): 
    For Verification: Type a Keystore protection Password.
    Press ENTER for no protection password (not recommended): 
    Certificate(s) from <ca.pem> are now trusted

    In order to import your signing key into the package keystore, you must supply an alias that is used later when signing the package. This alias can also be used if you want to delete the key from the package keystore.

    For example, to import your signing key from the file sign.pem, you would type the following:



    $ pkgadm addcert -k ~/mykeystore -n mycert sign.pem
    

    The output would appear similar to the following:


    Enter PEM passphrase:
    Enter Keystore Password: 
    Successfully added Certificate <sign.pem> with alias <mycert>
  2. Verify that the certificates are in the package keystore.

    For example, to view the certificates in the keystore created in the previous step, you would type the following:



    $ pkgadm listcert -k ~/mykeystore