Obtain a JCE Code Signing Certificate

JCE Code Signing Certification Authority

IMPORTANT NOTE: Oracle does not issue general code-signing certificates for applet or Web Start deployment. The process described here is only for obtaining certificates for use with the Java Cryptography Extensions (JCE) framework that require certificates issued by the JCE Certificate Authority (CA). Note that some OpenJDK implementations do not require a certificate.

A certificate received from this process will not work for anything other than authenticating JCE providers to the JCE framework (that is, the certificate will not work for deployment purposes.)

There are many third-party Java code-signing certificate providers available. To obtain a general code-signing certificate, please consult the major search engines using the terms:

Java Code Signing Certificate

To request a JCE code signing certificate, follow these steps:

1. Create an email message addressed to the JCE Code Signing Certification Authority

Create an email message addressed to jce-cert-request_ww_grp@oracle.com. In the Subject line, enter the following:

Request a Certificate for Signing a JCE Provider

This exact subject line must be used or else the spam filters will not let the message through.

Ensure that the email message format is plain text and its character encoding is ASCII.

2. Add your contact information

Include the following contact information in the body of your email message:

  • Company Name
  • Company Website URL
  • Company Street Address (Not a post office box)
  • City
  • State/Province
  • ZIP/Postal Code
  • Country
  • Company Telephone Number
  • Requester Name
  • Requester Telephone Number
  • Requester Email Address
  • Brief description of your company, for example:
    • Company size
    • Line of business
  • Rationale for JCE Code Signing Certificate, for example:
    • List algorithms supported, or if you are building/enhancing specific third-party cryptographic libraries

All of the above information is required.

3. Generate a Certificate Signing Request (CSR) for your Java Cryptography Extension provider

It's recommended that the key pair used to generate this CSR uses RSA or DSA with 2048 or more bits.

For information about generating CSRs, see the following in the Java SE documentation of the release you're using:

  • The section "How to Implement a Provider in the Java Cryptography Architecture" in Security Developer's Guide
  • The keytool command in JDK Tool Specifications or the keytool man page

Attach the CSR to the email message or include it in the body of your email message. If your email application has an option for specifying the encoding format for attachments, select the MIME option.

Note: The CSR file is just a plain text file in Base64 encoding. Only the first and last lines are human-readable. For example:



-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwaTEdMBsGA1UEChM...
...deleted...
-----END NEW CERTIFICATE REQUEST-----

4. Complete the Certification Form for CSPs

Download and complete the Certification Form for CSPs, then scan it as a PDF or JPG file.

Attach the scan of the completed form to your email message.

5. Verify then send your JCE code signing certificate request

Verify that your email message contains your contact information, CSR, and completed Certification Form for CSPs, then email it to jce-cert-request_ww_grp@oracle.com.

Once the JCE Code Signing Certification Authority receives your request, they will validate it and perform a background check. If this check passes, then they will create and sign a JCE code-signing certificate valid for 5 years. You will receive an email message containing two text certificates: the code-signing certificate and the JCE CA certificate, which authenticates the code-signing certificate's public key.

Allow ten business days from receipt of your request for processing.