Get rid of the “UNKNOWN” publisher from applet security warning

Question

I\'m trying to sign an applet so that the publisher does not appear as \"UNKNOWN\" :

Answer 1

I tried to add the 2 trusted certificates from my organisation but it failed :

Emm... all seems quite unclear because you demo the signing process since certs import only...

I tried using a self-signed certificate It does not work neither in IE nor in Firefox or Chrome, normal. I tried to add the 2 trusted certificates from my organisation but it failed :

Of course, it failed. Because you cannot import certs to get chain for non-original keys. And coming back to your test case...

All I can see in your test case things like:

• A) You gen maybe myalias or maybe myalias_root and myalias_auth key(s) - give more details here
• B) You try to import ORGRooTCA and ORGTrustedCertificationAuthority
• C) You try to sign a test jar

In step B You try to import 2 certs. So I must ask

• Were the two certs generated by using myalias_root and
  myalias_auth CSR(s)?

If they weren't so I suppose you just skipped some steps as follows:

• A) Gen myalias_root and myalias_auth key(s)
• B) Gen CSR of myalias_root_root and myalias_auth
• C) Gen certs ORGRooTCA and ORGTrustedCertificationAuthority by using myalias_root and
  myalias_auth CSR(s)
• D) import the certs as ORGRooTCA and ORGTrustedCertificationAuthority to get chain
• E) Try to sign a test jar

And once again...

I tried to add the 2 trusted certificates from my organisation but it failed :

As a result, I can advice you

• A) Get not only certs from your organization but also its keystore keys the certs were generated of
• B) Or gen your own keys and your own certs by following the previously mentioned ABCDE steps :)

---

I requested a certificate and they provided me a link to get it into the browser. Then I exported it (from Firefox) to get the PKCS#12 file that I named mystore.p12.

You manually imported it and then you exported it as described here ?

OK... it is quite interesting. If you still sure all things in your pfx right :S still I re-play the your jarsigner using demo. So you sign the test_applet.jar as

/* SIGN THE JAR */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jar "id de yann39"
Enter Passphrase for keystore: ********
 updating: META-INF/MANIFEST.MF
   adding: META-INF/ID_DE_YA.SF
   adding: META-INF/ID_DE_YA.RSA
  signing: test.class 

... it's pretty standard signing way but I want to point a little detail... I cannot see where jarsigner demands you to enter the "id de yann39" private key password :S ? All I can see you enter keystore password only ... Is the step skipped in your copy-paste version or jarsigner is really doesn't demand you to enter key password?

As a trial, I do recommend you to try sign your jar using -keypass arg as (see example)

jarsigner -keystore C:\working\mystore -storepass myspass
      -keypass dukekeypasswd MyJarFile.jar duke

For more details see how to use jarsigner docs...

---

I don't made any changes to the certificate, so yes I guess it is the original private key ? About your edit: yes I exported it as described in your link, but I used "backup all", not "backup" only, else I don't get the whole certificate chain in my .p12 file. About signing the .jar file, I don't skipped anything, jarsigner only ask me for the keystore password. I think keystore password and private key password are the same,

If you generated keys in your keystore with keytool you must know that keystore has its password and newly generated private key(s) should have its own password; So I suppose maybe something is missing here :S It would be interesting you A) import your pfx to IE and export it with IE as described here : since the "Yes export the private key" instructions + "Include all certificates in the certification path if possible"

P.S. Please comment if that was helpful

Answer 2

If you have your own CA and sign applets with certificates issued by that CA, then you obviously need to add that CA's certificate to the list of trusted certificate authorities.

When running inside IE, the Java plugin seems to be able to use the system list of CA, so you just need to add your CA certificate to the system certificate storage (be sure to manually choose the certificate destination as a trusted CA during the import).

When running inside Chrome or Firefox, the Java plugin for some reason does not use system certificate storage, but only its own separate certificate storage. You will get the "insecure" security warning with "UNKNOWN" publisher when running applet in these browsers if the CA's certificate is not present in the Java plugin certificate storage, regardless of whether it is in the "trusted CA" system certificate storage.

To add a certificate to Java plugin storage:

• open Java control panel
• select "Security" tab
• click "manage Certificates..." button
• select "Signer CA" option in the "Certificate type" combo-box.
• import your CA's certificate

The next time you use Chrome or Firefox to run your applet, you will have a normal "secure" security warning with the option to trust that applet forever.

Answer 3

You need to add CA certificates (up to the root CA) to your p12 file before signing.

Answer 4

The same strange "UNKNOWN" Message appeared when I changed my signing certificate. I imported the certificate of my signing keystore into cacerts (so that my self signed jar would be accepted), but the java cache held the old jarfile. Then when starting the "old" applet with the "new" certificate, a message similar to the one above appeared.

Solution: clear the java cache (via java control panel or javaws -uninstall).

This just in case someone (like myself) stumbles upon this Thread while searching for this Error Message.