Hi,
I'll do my best, though I must admit that a lot of this was setup before I worked on this project, so a lot was in place already.
I use an
ant target in order to get my jar file signed. below is the ant target that in in our build.xml file (relevant parts obscured):
This ant target uses the JDK jarsigner tool to get the jar signed. You can use this tool straight up too (no need to ride on ant).
The other important bits are the keystore, keypass and storepass. Again, I don't know too much about these because they were setup before I arrived, but I am pretty sure that there is nothing official (involving CA's) about them.
Actually, this doc
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/jarsigner.html seems pretty good at describing everything. So I'll leave this with you to digest.
So after all this, when I make my jars available with webstart, the user is able to download them but they are prompted to 'accept the risk and trust the source of the signing' in order to actually start the app. In our business environment its not an issue, cause everyone knows that we maintain the app. Everyone just accepts.
Hope this has helped.
Cheers, Jared.
[ May 11, 2005: Message edited by: Jared Cope ]