How exactly do I create a signed JAR for use in Netscape browsers?

John Zukowski



To use a trusted applet within Netscape Navigator/Communicator requires a signing certificate. You contact an independent Certification Authority (CA) like Verisign. Or, if you wish to setup your own in-house CA, for intranet/extranet applications, you can purchase Netscape's Certificate Server.

Netscape's tool for object signing is called the Netscape Signing Tool. There are different versions available for the major platforms that Netscape supports. Previous versions of the tool were called zigbert and Page Signer. Those tools are no longer supported.

The Signing Tool program named is called signtool and is used to sign jar files for Netscape Communicator 4.x. Even though you use signtool to sign jar files, Communicator still prompts the user for permissions. So source code still has to be modified using the Capabilities API mechanism.

While you can get free (Class 1) certificates for email use, in order to sign an object with Netscape's signtool (other than a test certificate), you must get a Class 2 or Class 3 certificate from one of these CAs supported. These run from $20 to $400, depending on the vendor and the class. And, the certificates acquired are specifically for use with the Netscape Signing Tool, not Internet Explorer.

Before you can install new keys and certificates, you must set the database password within Communicator. First select the Security icon in the toolbar for Communicator:

This brings up the Security Info window. From here, select the Passwords option:

This brings up the Passwords window. From here, select the Set Password button and enter in a password. Don't forget it. Exit out of Communicator completely after updating the certificate database.

For testing purposes, you can generate a test certificate with signtool. With the NT version of the Netscape Signing Tool, you must specify the appropriate Communicator User directory, where the password you just set would be saved. By default, this would be C:Program FilesNetscapeUsersdefault. However, default should probably be replaced by the username you have established within the browser.

Warning: Be sure to exit Communicator before running signtool to generate a test certificate. Otherwise, you risk corrupting your certificate and key databases.

signtool -G"mytestcert"
    -d "C:Program FilesNetscapeUsersdefault"

The signtool program then goes through a series of prompts asking you similar information to what was stored in the .prof file with javakey. Responses are in bold:

using certificate directory:
  C:Program FilesNetscapeUsersdefault

Enter certificate information.  All fields are optional.
Acceptable characters are numbers, letters, spaces, and
certificate common name: Test Certificate
organization: Some Company X
organization unit: Mars
state or province: MA
country (must be exactly 2 characters): US
username: jane
email address: jane.doe@foo.foo
Enter Password or Pin for "Communicator Certificate DB":
generated public/private key pair
certificate request generated
certificate has been signed
certificate "mytestcert" added to database
Exported certificate to x509.raw and x509.cacert.

Once everything has run, signtool will modify the cert7.db and key3.db files in the directory specified by -d. Also, as the last line specifies, the files x509.raw and x509.cacert (cacert = CA Certificate) contain the certificate. This can be imported into other Communicator copies or saved onto disk. If you were to purchase a real certificate, the certificate would be stored in MyKey.p12 (private key), as well as the two previously mentioned files.

Once you have a signing certificate, you can sign a program. The following demonstrates reading a file using Netscape's Capabilities API:

import java.applet.*;
import java.io.*;
import java.awt.*;
import netscape.security.*;

public class ReadFileNS extends Applet {
  public void init() {
    try {
      // cryptographic principals at [0]
      // codebase principals at [1]
      Principal prin = PrivilegeManager.getMyPrincipals()[0];
      PrivilegeManager pm = PrivilegeManager.getPrivilegeManager();
      String filename = getParameter ("filename");
      Target readTarget = Target.findTarget ("FileRead");
      readTarget.enablePrivilege (prin, filename);
      // read file
      // Don't use FileReader - it fails, wrong call stack
      FileInputStream fis = new FileInputStream (filename);
      InputStreamReader isr = new InputStreamReader (fis);
      BufferedReader br = new BufferedReader (isr);
      StringWriter sw = new StringWriter();
      String line;
      while ((line = br.readLine()) != null) {
        sw.write (line);
        sw.write ('
      setLayout (new BorderLayout());
      add (new TextArea (sw.toString()), BorderLayout.CENTER);
    } catch (ForbiddenTargetException e) {
      System.err.println ("User denied access to read file");
    } catch (IOException e) {
      System.err.println ("Error reading file");

You can list the available signing certificates with the -l option or the -L option for all certificates, including the CAs.

To sign the ReadFileNS class file, perform the following steps:

  1. Compile the source file. (Make sure Netscape's Capabilities classes are in your CLASSPATH.)
  2. Make a signing directory. (The example below assumes that the signing directory has the name "signing".) The signtool places everything in a particular directory tree into the jar file.
  3. Copy class files for applet (and any support files if necessary, although not in this case) into directory.
  4. Sign it: (Include a -d dirname if necessary)
    signtool -k mytestcert
             -Z readNS.jar

    This results in the following series, with you entering the Netscape certificate database password when prompted:

    using certificate directory:
    Generating signing/META-INF/manifest.mf file..
    --> ReadFileNS.class
    adding signing/ReadFileNS.class to readNS.jar...
        (deflated 44%)
    Generating zigbert.sf file..
    Enter Password or Pin for
        "Communicator Certificate DB":
    adding signing/META-INF/manifest.mf to readNS.jar...
        (deflated 14%)
    adding signing/META-INF/zigbert.sf to readNS.jar...
        (deflated 26%)
    adding signing/META-INF/zigbert.rsa to readNS.jar...
        (deflated 43%)
    tree "signing" signed successfully
  5. Verify the signature: (Include a -d dirname if necessary)
    signtool -v readNS.jar

    If everything went okay, this results in the following:

    using certificate directory:
    archive "readNS.jar" has passed crypto verification.
              status   path
        ------------   -------------------
            verified   ReadFileNS.class
  6. Once you have a signed jar file, create an HTML file that references it:
    <param name="filename" value="C:	empfile.txt">

    Now, when you run the program from a foreign web server, you will get the Java Security check window, as before and if you click the Certificate button, you will see the test certificate:

  7. Close the certificate window and Grant the access. Then, the applet displays the file in a TextArea, assuming the file exists. If you Deny the permission, a security exception will be thrown. This causes the User denied access to read file message to be displayed in the Java console.

During the development cycle, you can test Netscape's Capabilities-based architecture without signing anything. Once this is enabled, if you run across an applet from somewhere (including the open Internet) that requests additional privileges, you will be asked if you trust the applet. Be very careful and only trust what you are testing. To enable, place the following line in the prefs.js file in your subdirectory under the Users directory of your Communicator installation.

user_pref("signed.applets.codebase_principal_support", true);

Then Netscape will recognize all code as signed. Be careful using this! Don't forget to remove it when finished testing!