How to Sign a MIDlet
These are the required steps in summary to sign MIDlets with a certificate.
- Generate public/private key pairs.
- Generate Certificate Signing Request (CSR) and submit it to CA .
- Sign the MIDLet with the certificate.
Here are the list of software required to accomplish the steps:
- Sun Java 2 SDK or JRE
- Sun Wireless Tool Kit (WTK)
Generate public/private key pairs
Create a Keystore
From the command line navigate to Java 2 SDK bin directory (if it is not in the PATH yet) and type the below command :
keytool -genkey -keyalg rsa -keystore <keystore_filename> -alias <alias_name>
It prompts you to enter a password for your keystore, your name, organization, and address. For example:
C:\tmp>keytool -genkey -keyalg rsa -keystore vitraining.keystore -alias vitraining
Enter keystore password: 1234567890
What is your first and last name?
[Unknown]: akhmad daniel
What is the name of your organizational unit?
[Unknown]: vitraining
What is the name of your organization?
[Unknown]: vitraining
What is the name of your City or Locality?
[Unknown]: bandung
What is the name of your State or Province?
[Unknown]: jawa barat
What is the two-letter country code for this unit?
[Unknown]: ID
Is CN=akhmad daniel, OU=vitraining, O=vitraining, L=bandung, ST=jawa barat, C=ID
correct?
[no]: yesEnter key password for <vitraining>
(RETURN if same as keystore password):
You will find the keystore file on the directory called vitraining.keystore.
List the generated keypairs
To see your generated keypairs entry, type the below command :
keytool -keystore <keystore_filename> –list
For example:
C:\tmp>keytool -keystore vitraining.keystore -list
Enter keystore password: 1234567890Keystore type: jks
Keystore provider: SUNYour keystore contains 1 entry
vitraining, Dec 14, 2009, keyEntry,
Certificate fingerprint (MD5): CA:EE:0C:D6:64:4D:C3:A3:B9:92:9B:14:58:E0:A1:76
Generate Certificate Signing Request (CSR) and submit it to CA
Next, you need to generate a Certificate Signing Request (CSR) for the enrollment process.
Generate CSR
Type the below command to create a CSR for the key pair in the keystore:
keytool –certreq –file <certreq_filename.csr> –keystore <keystore_filename> -alias <alias_name>
For example:
C:\tmp>keytool -certreq -file vitraining.csr -keystore vitraining.keystore -alias vitraining
Enter keystore password: 1234567890
You will find a new CSR file in the directory called vitraining.csr. Submit the generated CSR to CA.
Sign the MIDLet with the certificate
Once the CA has approved your request, you will receive the certificate, usually by email containing the certificate. You need to copy paste or save the attachment of the certificate file to a file. The next steps are:
Import the certificate to your keystore
Use the below command
keytool –import –trustcacerts –keystore <keystore_filename> -alias <alias_name> -file <cert_filename>
For example:
C:\tmp>keytool -import -trustcacerts -keystore vitraining.keystore -alias vitraining -file vitraining.cert
Enter keystore password: 1234567890
Certificate reply was installed in keystore
Now the keystore is filled up with the valid certificate.
Sign the JAD file
Use JadTool utility to sign a JAR file by adding both of the certificate and the JAR file’s digital signature to the Java Application Descriptor (JAD) file, the process will be :
a. Adding the certificate to JAD
To add the certificate as the value of an attribute named MIDlet-Certificate-m-n, we will use JadTool.jar. Here m is the number of the certificate chain, and n is an integer that, for new certificates, begins at one and increments by one each time you add a new certificate to the JAD file.
java -jar %WTK_HOME%\bin\JadTool.jar -addcert -keystore <keystorename> -alias <aliasname> -storepass <password> -inputjad <input_jadfile> -outputjad <output_jadfile>
For example:
java -jar %WTK_HOME%\bin\JadTool.jar -addcert -keystore vitraining.keystore -alias vitraining -storepass 1234567890 -inputjad test.jad -outputjad test_t.jad
When succeeded, you should see the below attributes added to your output JAD file (in the example test_t.jad):
MIDlet-Certificate-1-1
MIDlet-Certificate-1-2
MIDlet-Certificate-1-3
b. Adding JAR’s digital signature to the JAD
This last process will get the JAR’s digital signature, stores it as the value of the MIDlet-Jar-RSA-SHA1 attribute of the output JAD file.
java -jar %WTK_HOME%\bin\jadtool.jar -addjarsig -jarfile <jar_file> -keystore <keystorename> -alias <aliasname> -storepass <password> -keypass <password> -inputjad <input_jadfile> -outputjad <output_jadfile>
The default value for -jarfile is the MIDlet-Jar-URL property in the JAD file. For example:
java -jar %WTK_HOME%\bin\jadtool.jar -addjarsig -jarfile test.jar -keystore vitraining.keystore -alias vitraining -storepass 1234567890 -keypass 1234567890 -inputjad test.jad –outputjad test_t.jad
Conclusion
Here is to conclude:
- keystore file is the file you created for storing public and private key pairs
- csr file is the file you created for submission to get a valid certificate from CA
- after getting the certificate, save it to a file, and the store it to back your keystore file
- the keystore file is ready for use for signing JAR and JAD files



Hello:
I have a Thawte certificate (299$) and I want to sign my MIDlet. My app has one permission: javax.wireless.messaging.sms.send.
First scenario:
I use Netbeans. If I try to sign my MIDlet, only the .jad file changes. Netbeans adds the following lines:
MIDlet-Certificate-1-1: MIIEJjCCAw6gAwIBAgIQHJqq1asymZ……..
MIDlet-Certificate-1-2: MIIEnDCCA4SgAwIBAgIQR5dNeHOlv……
MIDlet-Certificate-1-3: MIIERTCCA66gAwIBAgIQM2VQCH….
If I try to install this MIDlet sending the jad and the jar files throught Bluetooth, the installation goes ok. The app is secure. But if I try to send a SMS, (I push a “Send” command in a Form) the SMS is not sent. Nothing happens!!! No errors or exceptions, nothing, but if the MIDlet is not signed, the app can send the SMS well.
The second scenario:
I try to install the application using only the .jar file.
I sign my application with jarsigner:
jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore Keystore.p12 -storetype pkcs12 MyMIDlet.jar myalias
Doing this, the jar file increases it size. I can see inside the META-INF folder, inside the jar file, that:
1. The Manifest file has several digest. One for each file inside the jar:
Manifest-Version: 1.0
bla bla bla…
Name: res/icon.png
SHA1-Digest: NFzSgJ9d8aHy/v4thNG+sMAhNiQ=
Name: etc…
2. I have two new files: myalias.SF and myalias.RSA
But if I try to install this jar I obtain an error message: The application is not trusted!
Help!!