Creating a self-signed certificate with ADT

Self-signed certificates allow you to produce a valid AIR installation file, but only provide limited security assurances to your users since the authenticity of self-signed certificates cannot be verified. When a self-signed AIR file is installed, the publisher information is displayed to the user as Unknown. A certificate generated by ADT is valid for five years.

If you create an update for an AIR application that was signed with a self-generated certificate, you must use the same certificate to sign both the original and update AIR files. The certificates that ADT produces are always unique, even if the same parameters are used. Thus, if you want to self-sign updates with an ADT-generated certificate, preserve the original certificate in a safe location. In addition, you will be unable to produce an updated AIR file after the original ADT-generated certificate expires. (You can publish new applications with a different certificate, but not new versions of the same application.)

Important: Because of the limitations of self-signed certificates, Adobe strongly recommends using a commercial certificate issued by a reputable certification authority for signing publicly released AIR applications.

The certificate and associated private key generated by ADT are stored in a PKCS12-type keystore file. The password specified is set on the key itself, not the keystore.

Generating a digital ID certificate for self-signing AIR files

 Use the ADT -certificate command (on a single command line):
adt -certificate -cn name [-ou org_unit][-o org_name][-c country] key_type pfx_file password

-cn name The string assigned as the common name of the new certificate.

-ou org_unit A string assigned as the organizational unit issuing the certificate. (Optional.)

-o org_nameA string assigned as the organization issuing the certificate. (Optional.)

-c countryA two-letter ISO-3166 country code. A certificate is not generated if an invalid code is supplied. (Optional.)

key_typeThe type of key to use for the certificate, either “1024-RSA” or “2048-RSA”.

pfx_file The path for the certificate file to be generated.

password The password for the new certificate. The password is required when signing AIR files with this certificate.

Certificate generation examples

adt -certificate -cn SelfSign -ou QE -o "Example, Co" -c US 2048-RSA newcert.p12 39#wnetx3tl 
adt -certificate -cn ADigitalID 1024-RSA SigningCert.p12 39#wnetx3tl

To use these certificates to sign AIR files, you use the following signing options with the ADT -package or -prepare commands:

-storetype pkcs12 -keystore newcert.p12 -keypass 39#wnetx3tl 
-storetype pkcs12 -keystore SigningCert.p12 -keypass 39#wnetx3tl