How to create a Java keystore
for plugin signing the easy way
Mikkel Flindt Heisterberg
OnTime by IntraVision

Create the keystore
• Use iKeyMan to create the keysore
– <Notes>jvmbinikeyman.exe i.e. C:Notes8jvm
binikeyman.exe
• Create keystore of
type JCEKS and
specify a password
for the keystore
• Note the directory
where you create the
keystore

Create self-signed certificate
• In ”Personal Certificates” click ”New Self-
Signed...” and fill in the fields.
• Make sure to adjust the
validity perido of the
certificate
• Note the ”Key Label”
you specify (here it’s
”signerkey”)
• Exit iKeyman

Verify keystore
• In a DOS prompt use the KeyTool from the JDK
to verify the keystore
– If you haven’t got a JDK installed use the one
installed with Notes
(<Notes>jvmbinkeytool.exe)
• C:Notes8jvmbinkeytool.exe -keystore
keystore.jck -storetype jceks -list -v

Verify keystore

Export certificate
• Now export the certificate that is the
certificate to verify jar-file signatures
– Again using the keytool as before
– This creates mycert.der which is the file you
import into Domino Directory
• C:Notes8jvmbinkeytool.exe -keystore
keystore.jck -storetype jceks –export
–file mycert.der –alias signerkey

Export certificate

Import the certificate in Domino

Import the certificate in Domino

Import the certificate in Domino

Import the certificate in Domino

Trust
• Next steps are to
– Cross certify the imported internet certificate with
your a Notes certifier
– Use policies (Security settings) to broadcast the
internet certificate and cross certification of the
internet certificate to Notes clients
– The option is on the ”Keys and Certificates” tab
under ”Administrative Trust Defaults”

Sign jar-file using keystore
• You sign jar-files using the jarsigner.exe tool
from the JDK
– Again you can use the one installed with the Notes
JVM if need be
• C:Notes8jvmbinjarsigner.exe -keystore
keystore.jck -storetype jceks –signedjar
signed.jar myfile.jar signerkey

Sign jar-file using keystore