Unisoft Corporation logo

Tips for Signing OCAP Applications using OCAP SFG

  1. Request the necessary test certificates from CableLabs. It is likely that you will need to execute the OCAP Implementers Agreement with CableLabs before they provide the certificate files. As a minimum, you will be requested to execute Annex B of this agreement, for the "OCAP Materials". CableLabs should then supply the test root certificate, a certificate authority (CA) certificate, your leaf certificate and the private key for the leaf certificate. You will also need the pass phrase allocated by CableLabs for accessing your private key.
  2. Install the root certificate into your OCAP SFG certificate database by using the command:
  3. ocapsfg install -in {filename.cer} -selfsigned -base {directory}
    Where {directory} is the location of your default OCAP SFG file structure, containing the OCAP.index file and related directories. {filename.cert} is the location of the certificate file which you are installing into the database. Note that the filename must end with .cert, so if the certificates are named with a .pem postfix, you will need to rename them as filename.pem.cer.
  4. Repeat this process for the CA certificate using:
  5. ocapsfg install -in {filename.cer} -base {directory} -purpose mhp_ca
  6. Finally install your leaf certificate using:
  7. ocapsfg install -in {filename.cer} -base {directory} -purpose mhp_sign
    Note that you need to add certificates nearest to the root certificate first, and work down to the leaf certificate last. The default "purpose" is mhp_sign.
  8. You can view the content of a certificate by using the following command:
  9. ocapsfg x509 -text -in {filename.cer}
  10. Generate a Permission Request File and place in the same directory as the application initial class, naming the file as ocap..perm. Note, this should be the name of the initial class without the .class extension.
  11. Sign application:
  12. ocapsfg sign -certfile {filename.cer} -keyfile {your.key} -sigdir {root} -xmlcred {sigfile.xml} -base {dir}
    Where: {filename.cer} is the path name of your leaf certificate, {your.key} is your private key, {root} is the root of the OCAP application directory structure, {sigfile.xml} is the signature control file and {dir} is the directory containing the OCAP SFG default file structure. Note that if CableLabs has assigned you a private key with a pass phrase (which is most likely) you will be prompted to enter that after executing the above command. or if you are using a config file:
    ocapsfg sign -config {config.xml} -sigdir {dir} -xmlcred {sigfile.xml}
  13. Checking a signature: ocapsfg sign -check -sigdir root -suffix 1 Where -suffix denotes the suffix number of the ocap.certificates and ocap.signaturefile files.
  14. To view the files generated after signing an application:
  15. ocapsfg sign -text -in {root}/ocap.certificates.1
    ocapsfg sign -text -in {root}/ocap.signature.1
    ocapsfg sign -text -in {root}/ocap.hashfile
    Where {root} is the root of the signed OCAP application directory structure.