How to sign java applet with .pfx file?

后端 未结 2 1804
予麋鹿
予麋鹿 2021-01-13 18:39

I was trying to sign a jar applet archive with our company .pfx certificate using this guide
(and few others from the internet):
http://www.globalsign.com/support/or

相关标签:
2条回答
  • 2021-01-13 19:06

    Thanks a lot for all, especially Jcs :)
    I finally discovered that .pfx file was just imported improperly.
    I asked my boss to import it for me from scratch with all possible paths/chains/certificates included and now it works :)
    So if anyone will have similar problem my advice is to try to get/import certificate again
    - it's rather problem with certificate itself than with signing method.

    0 讨论(0)
  • 2021-01-13 19:16

    According to your post, it seems that there is only one certificate in the signature certificate chain. I verified an applet I signed (this applet works correctly in a browser)

    (...)
    sm      2419 Thu Mar 31 15:49:14 CEST 2011 org/xml/sax/helpers/XMLReaderFactory.class
    
          X.509, CN=Company Name, O=Company Name, L=Paris, ST=Ile de France, C=FR
          [certificate is valid from 8/4/10 2:00 AM to 8/4/12 1:59 AM]
          X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
          [certificate is valid from 2/8/10 1:00 AM to 2/8/20 12:59 AM]
          [KeyUsage extension does not support code signing]
    
    (...)
    

    We can see that there is 2 certificates in the chain since my signing certificate has been issued by the Thawte Code Signing CA.

    In your case if there is only one certificate in the jarsigner output it may indicates that the intermediate CA is missing and I hardly doubt that GlobalSign is directly issuing certificates from the root CA (which is in the java trust store). Therefore when the applet is loaded and the signatures are verified the JVM is not able to rebuild a certificate chain between the signing certificate and the GlobalSign root CA, explaining the current behaviour.

    Maybe the PKF file does not contains that intermediate CA. With OpenSSL you can check how many certificates are present:

    [jcs@home:~/]$ openssl pkcs12 -in myfile.pfx
    

    or with keytool

    [jcs@home:~/]$ keytool -list -v -storetype pkcs12 -keystore myfile.pfx
    Enter keystore password:  
    Keystore type: PKCS12
    Keystore provider: SunJSSE
    
    Your keystore contains 1 entry
    
    Alias name: 2
    Creation date: Aug 4, 2010
    Entry type: PrivateKeyEntry
    Certificate chain length: 2     <--  the chain length is here.
    Certificate[1]:
    (...)
    
    0 讨论(0)
提交回复
热议问题