I need to be able to sign jar files with a certificate from a CA.
I following the instructions from GoDaddy's documentation on how to do this: http://support.godaddy.com/help/article/4780/signing-java-code
However, step 3 requires importing a cert file obtained from GoDaddy's web site. Per the documentation, the command is:
keytool -import -trustcacerts -keystore codesignstore -storepass <yourstorepwd> -alias codesigncert -file mycert.cer
Although I successfully submit the CSR (generated by keytool) and get a response, I can't for the life of me figure out how to get the mycert.cer file. There is an option to download a PEM file. But after running the above command, I get the error "keytool error: java.lang.Exception: Incomplete certificate chain in reply". I've tried this multiple times, and double-checked I'm using the proper keystore. I've even tried re-keying using both SSH-1 one time, and then SSH-2 the other time. According to this person (https://stackoverflow.com/questions/20793254/signing-a-jar-the-signers-certificate-chain-is-not-validated?rq=1), they were able to at least successfully import the PEM file. But I'm not sure if this is even the right approach.
GoDaddy's tech support has been absolutely dreadful. Most of the techs I've talked to aren't familiar with keytool at all, and it took me several tries calling them before they forwarded me to their SSL department (480-505-8852), which is at least marginally better than general support.
If I use Internet Explorer or Firefox, I believe I can automatically generate a CSR instead of creating one through key tool. Then I'd export the certificate through the web browser. From reading various other online documents, I believe I could then use openssl to convert to the proper format for keytool. I'm not sure on the details of how this will work yet, but I don't see any other options.
Has anyone been successful with this or have any pointers on how to proceed? I found a similar question here (Signing a java applet with an spc file from GoDaddy), but the answer simply points me to GoDaddy's poor documentation. I would use a another CA if I could, but I've already paid the money and gone through the long, drawn-out verification process.
The workaround is to contact GoDaddy and have them reissue your organization's certificate. During the certificate setup process, you must select a SHA-1 codesign certificate instead of SHA-2. The option to select SHA-1 will only be available if you certificate validity does not extend to 2016 (see below), so make sure they understand your end goal is to recreate your SHA-2 certificate as SHA-1, so they know to sell you a cert with the correct validity period.
I traded my SHA-2 cert for a SHA-1 today, and GoDaddy's Java Code Signing instructions worked perfectly.
GoDaddy informed me Keytool may have trouble importing a certificate response chain generated from their SHA-2 (2048 length) codesign certificate. I withhold judgment of Keytool since it imports SHA-2 certs fine when the GoDaddy's root SHA1 cert is lopped from the pem file per @mogsie's answer.
GoDaddy goes with SHA-2 automatically when it grants codesign certificates that will extend into 2017 because Microsoft will not accept less than SHA-2 beginning January 1, 2016, so if you're in the market for a SHA-1 certificate, it will have short-term validity.
The issue might go away with a Java Keytool update (I was working with 1.6), or if GoDaddy's Sha256withRSA self-signed certificate becomes widely trusted.
The answer, as mentioned by Waterbear, is to have your GoDaddy cert reissued or rekeyed by GoDaddy using SHA-1
. The reason is that GoDaddy has two CA servers: Class 2 CA
which is used for signing SHA-1
certificates, and G2 CA
which is used for signing SHA-2
certificates. While the older Class 2 CA
is trusted by the Java Truststore (and thus SHA-1 certificates
are trusted), the newer G2 CA
is not, so its SHA-2
certificates are not trusted unless you manually install its root certificate (which defeats the purpose of buying a cert in the first place). Hopefully GoDaddy's G2 CA
becomes trusted by the Java Truststore soon (Before 2016!), but until that happens a GoDaddy SHA-2
cert is no better than a self-signed cert.
Since I enjoyed (not) the process of creating a codesinging certificate so much, I thought I would share the process I went thru, and hopefully when you need to generate your own, this will save you some of the heartache and pain .
I used godaddy , but I have to believe whoever the CA is the steps should be very similar.
These are the steps I went thru:
(note that godaddy does not create a codesigning certificate in jks format and there is an extra step involved to convert the keystore to jks)
keytool -genkey -alias codesigncert -keypass yourpassword -keyalg RSA - keysize 2048 -dname "cn=server1.lccc.edu, OU=College Name , O=College Name , L=Schnecksville, ST=Pennsylvania,C=US" - keystore /home/oracle/codesignstore/codesignstore -storepass yourpassword -validity 720 (storepass and keypass can be the same)
keytool -certreq -v -alias codesigncert - file /home/oracle/codesignstore/codesignstore.pem - keystore /home/oracle/codesignstore/codesignstore
when godaddy verifies the account and you pay your money the 'pending' status will go away
go to your godaddy account (https://mya.godaddy.com/)
click on myaccount at the top of the page (in the black header)
click on manage SSL Certificates
select the codesigning certificate listed
click on the Launch button
download the file as a PEM file
save it on your local pc
certificate should be listed on the managed views.
highlight the certificate and select backup (export) and save it as a pkcs12 file
click on view certificates at the top of the screen next to certificate viewer is the alias in double quotes, right this down it will be the alias to be used on the jarsigner command below
used: (e.g server1 /home/oracle/code_sign_cert_from_godaddy/ godaddy_pkcs12.p12) * this is the new keystore
since the keystore has to be of the type jks, and godaddy does't create a jks file it has to be converted to jks format
keytool -importkeystore - srckeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_pkcs12. p12 -srcstoretype pkcs12 - destkeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks -deststoretype jks
unsign jacob.jar... i copied the jacob.jar file to a test directory /test_jacob and renamed it jacob1.jar (note 760815.1)
jar xf jacob1.jar
extracts into "com" and "META-INF" folders, remove the "META-INF" folder
remove the old jacob1.jar
recreate the jacob1.jar from the /test_jacob directory
jar -cvf jacob1.jar *
run jarsigner -verify jacob1.jar, should show unisigned.
create a text file call mymanifest.txt
Permissions: all-permissions
Codebase: *
Application-Name: OracleForms
jar -ufm jacob1.jar mymanifest.txt (this puts the new manifest info into the jar file)..
you can open jacob1.jar with the unzip jacob1.jar -d directory where unzip will reside to verify that the mymanifest.txt file is now part of the jar file.
jarsigner - keystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks - storepass yourpassword - signedjar /home/oracle/Oracle/Middleware/Oracle_FRHome1/forms/java/tes t_jacob/Signedjacob1.jar jacob1.jar "lehigh carbon community college's godaddy.com, inc. id" (this alias came from the firefox process above)
there is no –alias option as there was on the keytool command
jarsigner -verify Signedjacob1.jar will display:
jar verified.
jar -tvf Signedjacob1.jar
file which is also inside the .jar file
2721 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.SF
4231 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.RSA
I copied the Signedjacob1.jar file to the $ORACLE_HOME/forms/java directory and then using the
login to the weblogic enterprise manager
I changed the webutilarchive parameter from Jacob.jar to Signedjacob1.jar for each instance
( em >>forms>>web configuration >> instance name >> all (the first entry should be the archive parameter)
When changing the jacob.jar to the Signedjacob1.jar , I did it for each of my test instances before I did it for production, just in case.
Stop and start wls_forms and you should be good to go..
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With