Get rid of the “UNKNOWN” publisher from applet security warning

Question

I\'m trying to sign an applet so that the publisher does not appear as \"UNKNOWN\" :

Answer 1

I tried to add the 2 trusted certificates from my organisation but it failed :

Emm... all seems quite unclear because you demo the signing process since certs import only...

I tried using a self-signed certificate It does not work neither in IE nor in Firefox or Chrome, normal. I tried to add the 2 trusted certificates from my organisation but it failed :

Of course, it failed. Because you cannot import certs to get chain for non-original keys. And coming back to your test case...

All I can see in your test case things like:

• A) You gen maybe myalias or maybe myalias_root and myalias_auth key(s) - give more details here
• B) You try to import ORGRooTCA and ORGTrustedCertificationAuthority
• C) You try to sign a test jar

In step B You try to import 2 certs. So I must ask

• Were the two certs generated by using myalias_root and
  myalias_auth CSR(s)?

If they weren't so I suppose you just skipped some steps as follows:

• A) Gen myalias_root and myalias_auth key(s)
• B) Gen CSR of myalias_root_root and myalias_auth
• C) Gen certs ORGRooTCA and ORGTrustedCertificationAuthority by using myalias_root and
  myalias_auth CSR(s)
• D) import the certs as ORGRooTCA and ORGTrustedCertificationAuthority to get chain
• E) Try to sign a test jar

And once again...

I tried to add the 2 trusted certificates from my organisation but it failed :

As a result, I can advice you

• A) Get not only certs from your organization but also its keystore keys the certs were generated of
• B) Or gen your own keys and your own certs by following the previously mentioned ABCDE steps :)

---

I requested a certificate and they provided me a link to get it into the browser. Then I exported it (from Firefox) to get the PKCS#12 file that I named mystore.p12.

You manually imported it and then you exported it as described here ?

OK... it is quite interesting. If you still sure all things in your pfx right :S still I re-play the your jarsigner using demo. So you sign the test_applet.jar as

/* SIGN THE JAR */
c:\testrep>C:\oracle\dev10gr2\jdk\bin\jarsigner -verbose -storetype pkcs12 -keystore mystore.p12 test_applet.jar "id de yann39"
Enter Passphrase for keystore: ********
 updating: META-INF/MANIFEST.MF
   adding: META-INF/ID_DE_YA.SF
   adding: META-INF/ID_DE_YA.RSA
  signing: test.class 

... it's pretty standard signing way but I want to point a little detail... I cannot see where jarsigner demands you to enter the "id de yann39" private key password :S ? All I can see you enter keystore password only ... Is the step skipped in your copy-paste version or jarsigner is really doesn't demand you to enter key password?

As a trial, I do recommend you to try sign your jar using -keypass arg as (see example)

jarsigner -keystore C:\working\mystore -storepass myspass
      -keypass dukekeypasswd MyJarFile.jar duke

For more details see how to use jarsigner docs...

---

I don't made any changes to the certificate, so yes I guess it is the original private key ? About your edit: yes I exported it as described in your link, but I used "backup all", not "backup" only, else I don't get the whole certificate chain in my .p12 file. About signing the .jar file, I don't skipped anything, jarsigner only ask me for the keystore password. I think keystore password and private key password are the same,

If you generated keys in your keystore with keytool you must know that keystore has its password and newly generated private key(s) should have its own password; So I suppose maybe something is missing here :S It would be interesting you A) import your pfx to IE and export it with IE as described here : since the "Yes export the private key" instructions + "Include all certificates in the certification path if possible"

P.S. Please comment if that was helpful