Hi I'm trying to configure tomcat7 (7.0.50) in windows 7 using a cert from a CA (entrust, if it matters). I downloaded the CA root, chain root and chain cert files, and my new certificate. Per the tomcat guide, I used the keystore I generated the csr from and followed these steps
keytool -import -alias entrust -trustcacerts -keystore crush.jks -file entrust.crt.txt
[prompts me the cert exists in the system wide CA keystore, I still add it]
keytool -import -alias chain-root -trustcacerts -keystore crush.jks -file L1Kchainroot.txt
keytool -import -alias chain-root -trustcacerts -keystore crush.jks -file L1Kchain.txt
keytool -import -alias tomcat -trustcacerts -keystore crush.jks -file entrustcert.crt.txt
Now when I list the contents of my keystore I see
C:\Users\crush\My Documents\cert>keytool -list -keystore crush.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 5 entries
entrust, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:3
chain, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): CC:A2:7D:33:C7:35:A7:D0:6D:1F:EC:A
chain-root, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 9E:1A:0C:35:E7:14:B6:97:92:D0:90:B
tomcat, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 6A:77:EC:32:1E:F9:AC:4F:BE:C7:CB:5
crush-windows7, Mar 26, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 04:72:8A:36:56:7E:D5:0F:7E:E9:E0:1
Now I edited my server.xml file to be like so
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1"
keystoreFile="C:\Users\crush\apache-tomcat-7.0.50\conf\crush.jks"
keystorePass="storepassword"
keyPass="keypassword"
/>
When this boots up and I navigate to the page I'll see an untrusted connection warning
crush-windows7.crush.com:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_ca_cert_invalid)
If I use -v with keytool and inspect the returned certificate I'll see the Issuer as Entrust
Owner: CN=crush-windows7.crush.com, ....
Issuer: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
But my private key entry has the issuer as myself
Owner: CN=crush-windows7.crush.com, ....
Issuer: CN=crush-windows7.crush.com, ....
I've been messing with this for a couple hours and bashing my head against the wall, I've done this with linux before using openssl instead of keytool without issues. Could this be my issue? No matter what connector config I try, it will not boot without the private key entry as the alias and the keyPass option set. If I remove the private key entry it will boot but never complete the ssl handshake. I use the 'tomcat' alias for the keyAlias it will say
java.io.IOException: Alias name tomcat does not identify a key entry
Can I salvage my current certificate or do I need to generate a new private key and csr and submit a new request then move them to my windows machine? I really feel this is my issue, am I even close to being on point? Using windows for this has been less than comfortable, thanks for helping.
You have made a small mistake in step 4: Instead of updating your PrivateKeyEntry with the certificate issued by Entrust, you have imported it as a trusted certificate.
The right command would have been:
keytool -import -alias crush-windows7 -trustcacerts -keystore crush.jks -file entrustcert.crt.txt
Related
I had a CA certificate which is expiring this year. My key.jks file list as below.
inter, Dec 17, 2019, trustedCertEntry,
....
root, Dec 17, 2019, trustedCertEntry,
....
app.domain.com, Dec 29, 2019, PrivateKeyEntry,
To extend validity I gave the same CSR file given last year. Now I have new 3 crt files for inter, root and domain-name.
Now I tried to remove old entries by
keytool -delete -alias inter -keystore key.jks -storepass pword
keytool -delete -alias root -keystore key.jks -storepass pword
keytool -delete -alias app.domain.com -keystore key.jks -storepass pword
and imported the new cert files like
keytool -import -alias inter -file intermediate.crt -keystore key.jks -storepass pword
keytool -import -alias root -file TrustedRoot.crt -keystore key.jks -storepass pword
keytool -import -alias app.domain.com -file app_domain_com.crt -keystore key.jks -storepass pword
Now keytool -list does not show PrivateKeyEntry for app_domain_com.crt and application not coming up.
inter, Dec 15, 2020, trustedCertEntry,
....
root, Dec 15, 2020, trustedCertEntry,
....
app.doamin.com, Dec 15, 2020, trustedCertEntry,
I have ADFS SSO integration and wanted to avoid changes with it because of this certificate change.
Your third delete command deleted your private key as well. That's why your application is broken, you need your private key for SSL to work.
When you said you wanted to reuse the same CSR that was used last time, it means you were planning on using the same private key, but you deleted it. That's why you see them as different types after you deleted and imported. In your first keytool list you have app.domain.com as a PrivateKeyEntry (contains private key and certificate), but after you deleted and imported the cert, you have the app.domain.com as a TrustedCertEntry (only certificate). If you had not deleted the private key, the import command will have associated the new certificate with it, since the private key is not found, it just adds the certificate.
In your case you should have done these steps:
Not run the third delete command
Imported the new certificate and associated with the existing private key using keytool's -importcert command.
Something to consider when trying to reuse the same CSR as last time can be found here, here and here.
P.S: I hope you have backed up your original keystore.
keytool command is supposed to generate public-private key pairs. I use the following command to generate the public-private key pair:
keytool -genkey -alias test -keystore test keystore -validity 1000
If I open and see the keystore , I see the following:
C:\Program Files\Java\jdk1.7.0_25\bin>keytool -list -keystore testkeystore Enter keystore password:
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
test, May 1, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 0C:FB:51:84:1C:3F:74:C7:1C:F9:F1:DE:E6:89:90:E6: 39:78:F3:FD
I am confused as to what is the public key here and what is the private key here. Can anyone help ?
The entry contains both the private key and a self-signed certificate containing the public key.
I registered a domain and would like to set up SSL encryption for it. My domain provider offered me to get a SSL certificate from COMODO. I generated a key and a csr file using openSSL:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
The command produced a private key, myserver.key and the csr file. I uploaded the content of the csr to comodo, and after verification, they sent me the following files:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - mydomain.crt
I'm lost on where to go from here. I followed these instructions:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/638/0/certificate-installation-java-based-web-servers-tomcat-using-keytool
and created a domain.keystore file, but I'm not sure if that's the right thing to do or not. My configuration in Jboss now looks like this:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="mydomain" password="*****" protocol="TLSv1" certificate-key-file="../standalone/configuration/domain.keystore"/>
</connector>
But that doesn't seem to work. I get no error in the server log, the page simply times out. If i use http it works normally. Any advice?
EDIT:
I took a different approach, I generated my keystore in this way:
keytool -genkey -alias domain -keyalg RSA -keysize 2048 -keystore domain.keystore
then I uploaded the new csr info to comodo and got the three .crt certificates back. I imported them into the keystore with this command:
keytool -import -trustcacerts -alias domain -file domain.crt -keystore domain.keystore
and then I used the keystore in the standalone.xml in this way:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="domain-ssl" key-alias="domain" password="******" certificate-key-file="../standalone/configuration/domain.keystore" protocol="TLSv1"/>
</connector>
The server starts, but when I try to connect to it, my browser says that the connection is untrusted:
domain uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_ca_cert_invalid)
I finally managed to get the installation right! Here's how you do it:
Install the COMODO certificates into your keystore wit this command:
keytool -import -trustcacerts -alias <filename> -file <filename>.crt -keystore domain.keystore
in the following order:
» Root: AddTrustExternalCARoot.crt
» Intermediate 1: COMODOAddTrustServerCA.crt
» Intermediate 2: COMODOExtendedValidationSecureServerCA.crt
Then install your domain certificate:
keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore
You should use the same alias instead of mykey, that you used to generate your keystore. If you do everything correctly, you should get this output:
Certificate reply was installed in keystore
Anything else means, you probably didn't use the correct alias. The final thing you need to do is to modify your standalone.xml like this:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="<domain>-ssl" key-alias="<domain>" password="******" certificate-key-file="../standalone/configuration/<domain>.keystore"/>
</connector>
And you should be good to go!
My domain provider offered me to get a SSL certificate from COMODO...
...
Any advice?
Don't pay for the certificate. You can get a free Class 1 certificate from Startcom. The Class 1 is good for server authentication without a wildcard domain. If you want an extended validation certificate or a wilcard certificate, then you will have to buy a Class 2 or higher.
Also, while Startcom issues the certificate for free, they charge for revocation because that's where the cost lies.
I'm lost on where to go from here...
Convert Intermediate CA Certificate - COMODORSAAddTrustCA.crt, Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt and Your PositiveSSL Certificate - mydomain.crt to PEM files. PEM are the ones that start with ----- BEGIN CERTIFICATE ----- and finish with ----- END CERTIFICATE -----.
Then, concatenate your three PEM files into a single file. The file will have three certificates in it. Call it mydomain-chain.pem, and load that into your server. Also load myserver.key into your server.
Don't do anything with Root CA Certificate - AddTrustExternalCARoot.crt. Clients have to use it as a root. There's no {use|need} to send it to the client in the ServerHello.
You can test your setup with the following. Notice how the client uses the root:
openssl s_client -connect myserver:443 -CAfile AddTrustExternalCARoot.crt
The command should end with Verify (0) OK or similar.
Failed to load keystore type JKS with path ../standalone/configuration/mydomain-chain.pem due to Invalid keystore format: which mean your keystore is not valid. Dont create new one use the keystore file you were created while submitting csr file to them. Use same keystore if you change the keystore its not accept.
I have aplication in java and cxf which connects to WebServices with client certificate.
I got certificates form WebService owner
certificate.p12
certificate.pem
certificate.crt
trusted_ca.cer
root_ca.cer
I have problem with straightforward converting this p12 certficate to working jks keystore requred by java.
I did this:
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore certificate1.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret
keytool -import -alias trusted -file trusted_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret
but this jks doesn`t work and I get HTTP response '403: Forbidden' when using this certificate1.jks
However if I import this p12(pfx) certificate to Internet Explorer and then export this certificate from IE to pfx format selecting "Include all certificates in the certification path" checkbox and use:
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 -destkeystore certificate2.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret
keytool -import -alias trusted -file trusted_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret
Then everything works fine and I can connect to WebService using certificate2.jks.
I found that original certificate.p12(pfx) contains only one entry (Certificate chain length: 1):
keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v
*******************************************
*******************************************
Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=MyCompany, EMAILADDRESS=my.email#domain.com, O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
...
*******************************************
*******************************************
while certificate.pfx exported from IE with "Include all certificates in the certification path" contains certificate chain with second Trusted CA certificate (Certificate chain length: 2):
keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v
*******************************************
*******************************************
Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=MyCompany, EMAILADDRESS=my.email#domain.com, O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
...
Certificate[2]:
Owner: CN=Trusted CA, O=ble ble ble, C=PL
Issuer: CN=ROOT CA, O=ble ble ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
*******************************************
*******************************************
So to solve my problem I need to have p12 certificate with chain to trusted CA certificate.
I can do this by importing p12 to IE and then exporting back with "Include all certificates in the certification path".
How can I do this without IE using keytool or other tool?
Bary
Own answer.
I figured out how to do this with OpenSSL:
openssl pkcs12 -in certificate.p12 -out clientcert.pem -nodes -clcerts
openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem
openssl x509 -in root_ca.cer -inform DER -out root_ca.pem
cat clientcert.pem trusted_ca.pem root_ca.pem >> clientcertchain.pem
openssl pkcs12 -export -in clientcertchain.pem -out clientcertchain.pfx
If you are working in Windows OS, you can install the certificate as usual through the IIS, then open mmc.exe -> File -> Add / Remove Snap In -> Double click on "Certificates" Select "Computer Account", next, finish, OK.
Expand certificates, if needed add the certificates from the CA into "Intermediate Certification Authorities" or "Trusted Root Certification Authorities".
Then go to "Web Hosting", here must be your webSite certificates, select the certificate, left click on it, select Export and follow the wizard, the important things to check are "Include Private Key", Include all certificates on the chain, export all extended properties, you must set a password, select the output flie name and this is it. Now you have a certificate with the complete chain on it. No more problems with Facebook or similar.
I'm trying to sign an applet so that the publisher does not appear as "UNKNOWN" :
I work for an organisation and we have our own certification authority, certificate chain is the following : ORG Root CA > ORG Trusted Certification Authority > Yann39 (me :D)
I requested a certificate and they provided me a link to get it into the browser.
Then I exported it (from Firefox) to get the PKCS#12 file that I named mystore.p12.
Then I did the following to sign my applet :
/* TO KNOW THE ALIAS */
c:\testrep>keytool -list -storetype pkcs12 -keystore mystore.p12
Enter keystore password: ********
Keystore type: pkcs12
Keystore provider: SunJSSE
Your keystore contains 1 entry
id de yann39, Oct 24, 2012, keyEntry,
Certificate fingerprint (MD5): D7:E3:83:1D:C1:40:68:72:5F:A8:6F:AC:3A:EA:DD:47
/* CREATE FAKE CLASS FILE AND BUILD A JAR */
c:\testrep>echo test > test.class
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jar cf0 test_applet.jar test.class
/* SIGN THE JAR */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jar "id de yann39"
Enter Passphrase for keystore: ********
updating: META-INF/MANIFEST.MF
adding: META-INF/ID_DE_YA.SF
adding: META-INF/ID_DE_YA.RSA
signing: test.class
/* VERIFY THE SIGNATURE */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs test_applet.jar
132 Wed Oct 24 17:49:52 CEST 2012 META-INF/MANIFEST.MF
185 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.SF
4801 Wed Oct 24 17:49:52 CEST 2012 META-INF/ID_DE_YA.RSA
0 Wed Oct 24 17:48:36 CEST 2012 META-INF/
sm 0 Wed Oct 24 17:47:46 CEST 2012 test.class
X.509, CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
DC=myorg, DC=ch
X.509, CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
X.509, CN=ORG Root CA, DC=myorg, DC=ch
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
c:\testrep>
Then I load the appled in my application using the following :
<object id="mytestapplet" width="0" height="0" style="position:absolute" type="application/x-java-applet">
<param name="archive" value="https://myhost.ch/rep/test_applet.jar">
<param name="code" value="test">
<param name="scriptable" value="true">
<param name="mayscript" value="no">
</object>
I read some posts like this one : How to sign java applet with .pfx file? and it seems I should get smi when verifying signed file from the jar, not only sm that means the certificate was not found in the keystore.
So I thought the certificate chain was not complete, but when running the following command, I saw that it was not the case :
c:\testrep>keytool -list -v -storetype pkcs12 -keystore mystore.p12
Enter keystore password: ********
Keystore type: pkcs12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: id de yann39
Creation date: Oct 24, 2012
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=Yann39, CN=794324, CN=myname, OU=Users, OU=Organic Units,
DC=myorg, DC=ch
Issuer: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Serial number: 12d21eb200200000a02b
Valid from: Mon Jun 25 14:16:00 CEST 2011 until: Wed Jun 24 14:16:00 CEST 2013
Certificate fingerprints:
MD5: D7:E3:83:1D:C1:41:78:72:5F:A8:6D:BD:3A:ED:DD:48
SHA1: 24:31:1D:25:02:98:0D:F8:28:6A:F1:0E:E8:BB:04:7E:51:E2:E9:66
Certificate[2]:
Owner: CN=ORG Trusted Certification Authority, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 601fab4c000000000003
Valid from: Tue Oct 02 11:36:53 CEST 2006 until: Mon Oct 02 11:47:53 CEST 2016
Certificate fingerprints:
MD5: 51:A1:EA:33:21:2C:71:60:A1:6F:F1:22:92:A8:51:8D
SHA1: 66:CD:70:13:27:68:F3:C2:08:F3:BE:5F:BF:D4:17:BD:85:9D:10:65
Certificate[3]:
Owner: CN=ORG Root CA, DC=myorg, DC=ch
Issuer: CN=ORG Root CA, DC=myorg, DC=ch
Serial number: 7dc0d089138d1d804b2e68e21b947412
Valid from: Tue Oct 02 10:55:19 CEST 2006 until: Sat Oct 02 11:01:47 CEST 2026
Certificate fingerprints:
MD5: A2:CE:DC:7D:F5:60:D7:2C:5E:B5:29:74:9D:51:F9:49
SHA1: DA:D8:7F:63:95:90:A2:E4:D4:1D:B9:48:FD:F4:C3:5C:FC:2B:B6:A3
*******************************************
*******************************************
c:\testrep>
The chain seems good.
But I still get the security warning with an "UNKNOWN" Publisher. Why ?
EDIT 25-OCT-2012
I forgot to say that it works using Internet Explorer ("Signature has been verified" and Publisher is "Yann39"), not using Chrome or Firefox.
I tried using a self-signed certificate :
keytool -genkey -alias myalias -storetype PKCS12 -keystore mykeystore.p12 -dname "cn=Yann39, ou=UN, o=ORG, st=Geneva, c=CH"
keytool -list -v -storetype pkcs12 -keystore mykeystore.p12
echo test > test.class
C:\oracle\dev10gr2\jdk\bin\jar cf0 myapplet.jar test.class
C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mykeystore.p12 myapplet.jar "myalias"
C:\oracle\dev10gr2\jdk\bin\jarsigner -verify -verbose -certs myapplet.jar
It does not work neither in IE nor in Firefox or Chrome, normal.
I tried to add the 2 trusted certificates from my organisation but it failed :
keytool -import -alias "myalias_root" -file ORGRooTCA.crt -storetype pkcs12 -keystore mykeystore.p12
keytool -import -alias "myalias_auth" -file ORGTrustedCertificationAuthority.crt -storetype pkcs12 -keystore mykeystore.p12
with the error :
keytool error: java.security.KeyStoreException: TrustedCertEntry not supported
I still don't understand why it says that the certificate was not found in the keystore (sm) when verifying the signature.
EDIT 02-NOV-2012
I finally got a reply from my Certification Authority. As code signing certificates are provided for test only (not officially supported in our organisation), they don't provide any help and they closed my ticket...
The 2 certificates ORG Root CA and ORG Trusted Certification Authority are trusted in the 3 browsers (IE, Firefox, Chrome). When running my applet I still get the expected result in IE :
Name: applettest
Publisher: Yann39
From: https://myhost.ch
But not in Firefox and Chrome :
Name: test
Publisher: UNKNOWN
From: https://myhost.ch
Another strange thing is that as you see IE is referencing as “Name” the id of the <object> tag used in the HTML (applettest), while Firefox and Chrome are referencing the name of the main class (test).
What I think is that it is the same thing about the Publisher, IE is looking at the CN RDN (Yann39) while Firefox and Chrome are looking at the O RDN and cannot find one as it is not defined in my certificate.
If anyone has more information about how browsers check the certificates please share.
Thanks.
If you have your own CA and sign applets with certificates issued by that CA, then you obviously need to add that CA's certificate to the list of trusted certificate authorities.
When running inside IE, the Java plugin seems to be able to use the system list of CA, so you just need to add your CA certificate to the system certificate storage (be sure to manually choose the certificate destination as a trusted CA during the import).
When running inside Chrome or Firefox, the Java plugin for some reason does not use system certificate storage, but only its own separate certificate storage. You will get the "insecure" security warning with "UNKNOWN" publisher when running applet in these browsers if the CA's certificate is not present in the Java plugin certificate storage, regardless of whether it is in the "trusted CA" system certificate storage.
To add a certificate to Java plugin storage:
open Java control panel
select "Security" tab
click "manage Certificates..." button
select "Signer CA" option in the "Certificate type" combo-box.
import your CA's certificate
The next time you use Chrome or Firefox to run your applet, you will have a normal "secure" security warning with the option to trust that applet forever.
You need to add CA certificates (up to the root CA) to your p12 file before signing.
The same strange "UNKNOWN" Message appeared when I changed my signing certificate. I imported the certificate of my signing keystore into cacerts (so that my self signed jar would be accepted), but the java cache held the old jarfile. Then when starting the "old" applet with the "new" certificate, a message similar to the one above appeared.
Solution: clear the java cache (via java control panel or javaws -uninstall).
This just in case someone (like myself) stumbles upon this Thread while searching for this Error Message.
I tried to add the 2 trusted certificates from my organisation but it
failed :
Emm... all seems quite unclear because you demo the signing process since certs import only...
I tried using a self-signed certificate It does not work neither in
IE nor in Firefox or Chrome, normal. I tried to add the 2 trusted
certificates from my organisation but it failed :
Of course, it failed. Because you cannot import certs to get chain for non-original keys. And coming back to your test case...
All I can see in your test case things like:
A) You gen maybe myalias or maybe myalias_root and
myalias_auth key(s) - give more details here
B) You try to import ORGRooTCA and
ORGTrustedCertificationAuthority
C) You try to sign a test jar
In step B You try to import 2 certs. So I must ask
Were the two certs generated by using myalias_root and
myalias_auth CSR(s)?
If they weren't so I suppose you just skipped some steps as follows:
A) Gen myalias_root and
myalias_auth key(s)
B) Gen CSR of myalias_root_root and myalias_auth
C) Gen certs ORGRooTCA and ORGTrustedCertificationAuthority by using myalias_root and
myalias_auth CSR(s)
D) import the certs as ORGRooTCA and ORGTrustedCertificationAuthority to get chain
E) Try to sign a test jar
And once again...
I tried to add the 2 trusted certificates from my organisation but it
failed :
As a result, I can advice you
A) Get not only certs from your organization but also its
keystore keys the certs were generated of
B) Or gen your own keys and your own certs by following the
previously mentioned ABCDE steps :)
I requested a certificate and they provided me a link to get it into
the browser. Then I exported it (from Firefox) to get the PKCS#12 file
that I named mystore.p12.
You manually imported it and then you exported it as described here ?
OK... it is quite interesting. If you still sure all things in your pfx right :S still I re-play the your jarsigner using demo. So you sign the test_applet.jar as
/* SIGN THE JAR */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jar "id de yann39"
Enter Passphrase for keystore: ********
updating: META-INF/MANIFEST.MF
adding: META-INF/ID_DE_YA.SF
adding: META-INF/ID_DE_YA.RSA
signing: test.class
... it's pretty standard signing way but I want to point a little detail... I cannot see where jarsigner demands you to enter the "id de yann39" private key password :S ? All I can see you enter keystore password only ... Is the step skipped in your copy-paste version or jarsigner is really doesn't demand you to enter key password?
As a trial, I do recommend you to try sign your jar using -keypass arg as (see example)
jarsigner -keystore C:\working\mystore -storepass myspass
-keypass dukekeypasswd MyJarFile.jar duke
For more details see how to use jarsigner docs...
I don't made any changes to the certificate, so yes I guess it is the
original private key ? About your edit: yes I exported it as described
in your link, but I used "backup all", not "backup" only, else I don't
get the whole certificate chain in my .p12 file. About signing the
.jar file, I don't skipped anything, jarsigner only ask me for the
keystore password. I think keystore password and private key password
are the same,
If you generated keys in your keystore with keytool you must know that keystore has its password and newly generated private key(s) should have its own password; So I suppose maybe something is missing here :S It would be interesting you A) import your pfx to IE and export it with IE as described here : since the "Yes export the private key" instructions + "Include all certificates in the certification path if possible"
P.S.
Please comment if that was helpful