Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

jarsigner -certchain ?

shoening-OracleMay 13 2014 — edited May 19 2014

Hi,

I am trying to setup signed jar files for Java Webstart. (Using Java 1.8.0_05 on a Linux box)

In a first test - which works - I have created a 'CA Certificate' and a 'Signer Certificate. The 'Signer Certificate' is signed using the private key of the

CA Certificate.

The 'CA Certificate is stored inside a keystore named 'ca_keystore.jks' using alias 'My Personal CA'.

The 'Signer Certificate is stored inside a keystore named 'signer_keystore.jks' using alias 'Signer'

I have added the 'CA Certificate' to the cacerts file (${JRE_HOME}/lib/security/cacerts).

This way I can sign any Jar file via:

jarsign

Hi,

I am trying to setup signed jar files for Java Webstart. (Using Java 1.8.0_05 on a Linux box)

In a first test - which works - I have created a 'CA Certificate' and a 'Signer Certificate. The 'Signer Certificate' is signed using the private key of the

CA Certificate.

The 'CA Certificate is stored inside a keystore named 'ca_keystore.jks' using alias 'My Personal CA'.

The 'Signer Certificate is stored inside a keystore named 'signer_keystore.jks' using alias 'Signer'

I have added the 'CA Certificate' to the cacerts file (${JRE_HOME}/lib/security/cacerts).

This way I can sign any Jar file via:

jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore signer_keystore.jks -storepass XXXXXXX my-app.jar signer

This did not produce any Warnings or Error messages.

But now to my problem:

I created another set of keypairs/certificates - this time with an intermediate CA. So I have now:

'Root CA' -------------> 'Intermediate CA' ---------------> 'Signer'

Again I have added the 'Root CA' to the cacerts file and I have a Keystore 'signer_keystore.jks' which contains the the signers keypair/certificate - but not the intermediate ca certificate and not the root ca certificate.

Additionally I have created a 'cert-chain.der' file containing the concatenated DER Encodings of the 'Signer Certificate', 'Intermediate Certificate', 'Root CA Certificate'

When I try to sign a jar using

jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore signer_keystore.jks -storepass XXXXXXX -certchain cert-chain.der my-app.jar signer

I am getting a warning message 'The signer's certificate chain is not validated.'

Is there any documentation with more details on how to create the file provided as parameter for tho "-certchain" option?

Does anyone has a working Example on how to deal with a case like mine, where the trust-chain from the Leaf-Certificate to the Root Certificate contains intermediate Certificates?

Thanks in advance

Stefan

This post has been answered by shoening-Oracle on May 19 2014
Jump to Answer

Comments

Hi @"NETCJ"

Your domain registrations have migrated to name.com. We're no longer offering domain registrations. Domains will show up as blocked  and is normal. Rest assured your domain's are still functioning. Please use the following link to claim your domain with name.com and manage your services:  https://www.name.com/welcome-to-name?cb=dyn_domino

Please note, we are no longer able to access or maintain your domains.

Mike

Oracle + Dyn

NETCJ

I tried that link and I entered my domain the response was ...

Sorry, but we do not have any record of this domain. Make sure there are no typos or check your Whois record to see which registrar your domain is at.

NETCJ

I should also add that the domain is functioning fine.

You will need to reach out to name.com support then as we no longer able to access or maintain your domains. They can be reached via https://www.name.com/dyn-help

NETCJ

I never received an email on the 4th of December. In 2017 I paid for service until 2022. the whois still shows DYN as the registrar. I do not have a login for name.com?

As I have shared you will need to follow the link shared above to claim domains. If you are still unable to claim them you will need to contact name.com support as we (Oracle + Dyn)  are no longer able to access or maintain your domains.

If you have paid for your domain until 2022 then you will still have it until then.

Mike

Oracle + Dyn

NETCJ

I filled out a support request with name.com and the reply was to log into my name.com account. But I don't have a name.com account? this is kinda funny LOL

Michael.R.Taylor-Oracle

using the link I provided above (https://www.name.com/dyn-help ) I was able to submit a support request without logging into any accounts.

Please use this link as shared previously to contact name.com support.

Mike

Oracle + Dyn

NETCJ

I did that Mike thanks for your help.

I am waiting for the reply I guess I am just not patient enough.

NETCJ

Still waiting on this Ticket 2 days later for a simple club website.  Went with DYN because of their stellar reputation and they were local. I can not believe how I have been treated by Oracle and Name.com this is unbelievable.  Thanks Alot Mike 

aplss30

Oracle does not appear to be interested in helping, we have been trying to transfer our domain since approximately December 20 after removing the locks put in place by name.com, but there remains a "Registry" lock put in place by Oracle America, Inc.  There is no excuse for this and it needs to be resolved immediately.

I would encourage you to file a complaint with ICANN (Internet Corporation for Assigned Names and Numbers): https://forms.icann.org/en/resources/compliance/complaints/transfer/form

Other complaint forms that may be relevant: https://www.icann.org/compliance/complaint

We have submitted a complaint and will continue exploring all avenues, including legal if needed, available to us until we get this issue resolved.

1 - 11
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Jun 16 2014
Added on May 13 2014
1 comment
2,407 views