Hi,
I am trying to setup signed jar files for Java Webstart. (Using Java 1.8.0_05 on a Linux box)
In a first test - which works - I have created a 'CA Certificate' and a 'Signer Certificate. The 'Signer Certificate' is signed using the private key of the
CA Certificate.
The 'CA Certificate is stored inside a keystore named 'ca_keystore.jks' using alias 'My Personal CA'.
The 'Signer Certificate is stored inside a keystore named 'signer_keystore.jks' using alias 'Signer'
I have added the 'CA Certificate' to the cacerts file (${JRE_HOME}/lib/security/cacerts).
This way I can sign any Jar file via:
jarsign
Hi,
I am trying to setup signed jar files for Java Webstart. (Using Java 1.8.0_05 on a Linux box)
In a first test - which works - I have created a 'CA Certificate' and a 'Signer Certificate. The 'Signer Certificate' is signed using the private key of the
CA Certificate.
The 'CA Certificate is stored inside a keystore named 'ca_keystore.jks' using alias 'My Personal CA'.
The 'Signer Certificate is stored inside a keystore named 'signer_keystore.jks' using alias 'Signer'
I have added the 'CA Certificate' to the cacerts file (${JRE_HOME}/lib/security/cacerts).
This way I can sign any Jar file via:
jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore signer_keystore.jks -storepass XXXXXXX my-app.jar signer
This did not produce any Warnings or Error messages.
But now to my problem:
I created another set of keypairs/certificates - this time with an intermediate CA. So I have now:
'Root CA' -------------> 'Intermediate CA' ---------------> 'Signer'
Again I have added the 'Root CA' to the cacerts file and I have a Keystore 'signer_keystore.jks' which contains the the signers keypair/certificate - but not the intermediate ca certificate and not the root ca certificate.
Additionally I have created a 'cert-chain.der' file containing the concatenated DER Encodings of the 'Signer Certificate', 'Intermediate Certificate', 'Root CA Certificate'
When I try to sign a jar using
jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore signer_keystore.jks -storepass XXXXXXX -certchain cert-chain.der my-app.jar signer
I am getting a warning message 'The signer's certificate chain is not validated.'
Is there any documentation with more details on how to create the file provided as parameter for tho "-certchain" option?
Does anyone has a working Example on how to deal with a case like mine, where the trust-chain from the Leaf-Certificate to the Root Certificate contains intermediate Certificates?
Thanks in advance
Stefan