How to sign java applet with .pfx file?

Question

I was trying to sign a jar applet archive with our company .pfx certificate using this guide
(and few others from the internet):
http://www.globalsign.com/support/or

Answer 1

According to your post, it seems that there is only one certificate in the signature certificate chain. I verified an applet I signed (this applet works correctly in a browser)

(...)
sm      2419 Thu Mar 31 15:49:14 CEST 2011 org/xml/sax/helpers/XMLReaderFactory.class

      X.509, CN=Company Name, O=Company Name, L=Paris, ST=Ile de France, C=FR
      [certificate is valid from 8/4/10 2:00 AM to 8/4/12 1:59 AM]
      X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
      [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
      [KeyUsage extension does not support code signing]

(...)

We can see that there is 2 certificates in the chain since my signing certificate has been issued by the Thawte Code Signing CA.

In your case if there is only one certificate in the jarsigner output it may indicates that the intermediate CA is missing and I hardly doubt that GlobalSign is directly issuing certificates from the root CA (which is in the java trust store). Therefore when the applet is loaded and the signatures are verified the JVM is not able to rebuild a certificate chain between the signing certificate and the GlobalSign root CA, explaining the current behaviour.

Maybe the PKF file does not contains that intermediate CA. With OpenSSL you can check how many certificates are present:

[jcs@home:~/]$ openssl pkcs12 -in myfile.pfx

or with keytool

[jcs@home:~/]$ keytool -list -v -storetype pkcs12 -keystore myfile.pfx
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: 2
Creation date: Aug 4, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 2     <--  the chain length is here.
Certificate[1]:
(...)