How do I Import a Certificate from GoDaddy for Java Code Signing? [closed]

问题

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 3 years ago.

I need to be able to sign jar files with a certificate from a CA.

I following the instructions from GoDaddy's documentation on how to do this: http://support.godaddy.com/help/article/4780/signing-java-code

However, step 3 requires importing a cert file obtained from GoDaddy's web site. Per the documentation, the command is:

keytool -import -trustcacerts -keystore codesignstore -storepass <yourstorepwd> -alias codesigncert -file mycert.cer

Although I successfully submit the CSR (generated by keytool) and get a response, I can't for the life of me figure out how to get the mycert.cer file. There is an option to download a PEM file. But after running the above command, I get the error "keytool error: java.lang.Exception: Incomplete certificate chain in reply". I've tried this multiple times, and double-checked I'm using the proper keystore. I've even tried re-keying using both SSH-1 one time, and then SSH-2 the other time. According to this person (https://stackoverflow.com/questions/20793254/signing-a-jar-the-signers-certificate-chain-is-not-validated?rq=1), they were able to at least successfully import the PEM file. But I'm not sure if this is even the right approach.

GoDaddy's tech support has been absolutely dreadful. Most of the techs I've talked to aren't familiar with keytool at all, and it took me several tries calling them before they forwarded me to their SSL department (480-505-8852), which is at least marginally better than general support.

If I use Internet Explorer or Firefox, I believe I can automatically generate a CSR instead of creating one through key tool. Then I'd export the certificate through the web browser. From reading various other online documents, I believe I could then use openssl to convert to the proper format for keytool. I'm not sure on the details of how this will work yet, but I don't see any other options.

Has anyone been successful with this or have any pointers on how to proceed? I found a similar question here (Signing a java applet with an spc file from GoDaddy), but the answer simply points me to GoDaddy's poor documentation. I would use a another CA if I could, but I've already paid the money and gone through the long, drawn-out verification process.

回答1:

The workaround is to contact GoDaddy and have them reissue your organization's certificate. During the certificate setup process, you must select a SHA-1 codesign certificate instead of SHA-2. The option to select SHA-1 will only be available if you certificate validity does not extend to 2016 (see below), so make sure they understand your end goal is to recreate your SHA-2 certificate as SHA-1, so they know to sell you a cert with the correct validity period.

I traded my SHA-2 cert for a SHA-1 today, and GoDaddy's Java Code Signing instructions worked perfectly.

GoDaddy informed me Keytool may have trouble importing a certificate response chain generated from their SHA-2 (2048 length) codesign certificate. I withhold judgment of Keytool since it imports SHA-2 certs fine when the GoDaddy's root SHA1 cert is lopped from the pem file per @mogsie's answer.

GoDaddy goes with SHA-2 automatically when it grants codesign certificates that will extend into 2017 because Microsoft will not accept less than SHA-2 beginning January 1, 2016, so if you're in the market for a SHA-1 certificate, it will have short-term validity.

The issue might go away with a Java Keytool update (I was working with 1.6), or if GoDaddy's Sha256withRSA self-signed certificate becomes widely trusted.

回答2:

The answer, as mentioned by Waterbear, is to have your GoDaddy cert reissued or rekeyed by GoDaddy using SHA-1. The reason is that GoDaddy has two CA servers: Class 2 CA which is used for signing SHA-1 certificates, and G2 CA which is used for signing SHA-2 certificates. While the older Class 2 CA is trusted by the Java Truststore (and thus SHA-1 certificates are trusted), the newer G2 CA is not, so its SHA-2certificates are not trusted unless you manually install its root certificate (which defeats the purpose of buying a cert in the first place). Hopefully GoDaddy's G2 CA becomes trusted by the Java Truststore soon (Before 2016!), but until that happens a GoDaddy SHA-2 cert is no better than a self-signed cert.

回答3:

Since I enjoyed (not) the process of creating a codesinging certificate so much, I thought I would share the process I went thru, and hopefully when you need to generate your own, this will save you some of the heartache and pain .

I used godaddy , but I have to believe whoever the CA is the steps should be very similar.

These are the steps I went thru:

(note that godaddy does not create a codesigning certificate in jks format and there is an extra step involved to convert the keystore to jks)

Create keystore:

keytool -genkey -alias codesigncert -keypass yourpassword -keyalg RSA - keysize 2048 -dname "cn=server1.lccc.edu, OU=College Name , O=College Name , L=Schnecksville, ST=Pennsylvania,C=US" - keystore /home/oracle/codesignstore/codesignstore -storepass yourpassword -validity 720 (storepass and keypass can be the same)

Generater crt for godaddy

keytool -certreq -v -alias codesigncert - file /home/oracle/codesignstore/codesignstore.pem - keystore /home/oracle/codesignstore/codesignstore

using an editor open codesignstore.pem and paste it into the godaddy site

when godaddy verifies the account and you pay your money the 'pending' status will go away

go to your godaddy account (https://mya.godaddy.com/)

click on myaccount at the top of the page (in the black header)

click on manage SSL Certificates

select the codesigning certificate listed

click on the Launch button

download the file as a PEM file

save it on your local pc

open firefox, in the advanced section select view certificates, and the

certificate should be listed on the managed views.

highlight the certificate and select backup (export) and save it as a pkcs12 file

click on view certificates at the top of the screen next to certificate viewer is the alias in double quotes, right this down it will be the alias to be used on the jarsigner command below

copy the file to the server where the codesigning certificate is going to be

used: (e.g server1 /home/oracle/code_sign_cert_from_godaddy/ godaddy_pkcs12.p12) * this is the new keystore

since the keystore has to be of the type jks, and godaddy does't create a jks file it has to be converted to jks format

convert pcks12 to jks

keytool -importkeystore - srckeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_pkcs12. p12 -srcstoretype pkcs12 - destkeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks -deststoretype jks

jar file processing:

unsign jacob.jar... i copied the jacob.jar file to a test directory /test_jacob and renamed it jacob1.jar (note 760815.1)

jar xf jacob1.jar

extracts into "com" and "META-INF" folders, remove the "META-INF" folder

remove the old jacob1.jar

recreate the jacob1.jar from the /test_jacob directory

jar -cvf jacob1.jar *

run jarsigner -verify jacob1.jar, should show unisigned.

create a text file call mymanifest.txt

  Permissions: all-permissions

  Codebase: *

  Application-Name: OracleForms

jar -ufm jacob1.jar mymanifest.txt (this puts the new manifest info into the jar file)..

you can open jacob1.jar with the unzip jacob1.jar -d directory where unzip will reside to verify that the mymanifest.txt file is now part of the jar file.

sign jar file

jarsigner - keystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks - storepass yourpassword - signedjar /home/oracle/Oracle/Middleware/Oracle_FRHome1/forms/java/tes t_jacob/Signedjacob1.jar jacob1.jar "lehigh carbon community college's godaddy.com, inc. id" (this alias came from the firefox process above)

the -signedjar file option was required, without it I was getting errors

note the alias is always the last entry on the jarsigner command and

there is no –alias option as there was on the keytool command

verify jar file is signed

jarsigner -verify Signedjacob1.jar will display:

jar verified.

show whats in the jar file

jar -tvf Signedjacob1.jar

the .SF file is insided the .jar file, the .DSA file is replaced by the .RSA

file which is also inside the .jar file

from the output of the jar -tvf Signedjacob1.jar

2721 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.SF

4231 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.RSA

I copied the Signedjacob1.jar file to the $ORACLE_HOME/forms/java directory and then using the

login to the weblogic enterprise manager

I changed the webutilarchive parameter from Jacob.jar to Signedjacob1.jar for each instance

( em >>forms>>web configuration >> instance name >> all (the first entry should be the archive parameter)

When changing the jacob.jar to the Signedjacob1.jar , I did it for each of my test instances before I did it for production, just in case.

Stop and start wls_forms and you should be good to go..

回答4:

@Waterbear Thanks so much for your solution about getting an SHA-1 certificate instead of SHA-2. This was definitely the problem I was having. (I would have posted this underneath your comment, but StackOverflow said it was way too long.) I had gotten a 3-year certificate, and by default GoDaddy gives an SHA-2 for certificates expiring after a certain date. However, even when I re-keyed and asked for an SHA-1, I still ended up with an SHA-2. I had to revoke my certificate and then start the process from scratch to get an SHA-1 certificate. (By starting from scratch, I mean GoDaddy must again verify your company and phone number and all that.) By the way, if you do revoke your certificate, make sure you ask GoDaddy for permission first because technically they don't have to give you a refund. In addition, I wasn't able to get a 3-year certificate because anything that expires after a certain date (2016?) must be SHA-2 and not SHA-1. I basically had to get a refund for my 3-year certificate and instead get a 1-year certificate to even have the SHA-1 option. But after going with SHA-1, GoDaddy's instructions in approach#1 worked fine. I would recommend doing generating your CSR manually using the keytool command (instead of automatically through a web browser). Later, you just download the PEM file and import it into the keystore using the keytool command. (This is what GoDaddy's describes in "approach 1" in the link posted in the question.)

Lastly if you do have to have a certificate reissued, and go through this process again, I would highly recommend choosing another company besides GoDaddy for code-signing. Their tech support was absolutely horrendous. Their support techs even admitted to me they weren't trained in this. The hours spent on this issue greatly offset any money saved on the cert.

回答5:

keytool -import -trustcacerts -keystore codesignstore -storepass <yourstorepwd> -alias codesigncert -file mycert.cer

First thing, you ** MUST HAVE ** the mycert.cer file. Otherwise, you do not have the ability to import the cert.

Get a "lay of the land" - What is in the current keystore file? We want to list (or show) what is in the keystore..

keytool -list -v -keystore codesignstore

If it prompts you for the password, you can just press the ENTER key and it will bark about it not being trusted, but for expediency, it is fine.

If you want to "pump" the results into a text file..

echo.|keytool -list -v -keystore codesignstore > kstore_result.txt

Note: the echo. does like what I previously mentioned about "pressing ENTER" so don't become too attached to that. :)

keytool -genkey -alias codesigncert -keyalg RSA -validity 1825 -keysize 2048 -keypass <yourstorepwd> -keystore codesignstore -storepass <yourstorepwd>

Other options:

-genkey = generate a key
-keyalg RSA = use RSA's key alogorithm
-validity 1825 = how long is the key good for?  Primarily used with self-signed certs as the certs from verisign or Thawte have their own expiration
-keysize 2048 = Is this a 1024 or 2048-bit enryption?
-keypass <yourstorepwd>
-keystore codesignstore
-storepass <yourstorepwd>

Thing you have to be very careful of here and Support will not tell you about this.. If you try to import other certs alongside the existing ones, you need to be careful you don't botch the whole thing. :)

If you do have a problem of course, you can delete the alias and import again..

keytool -delete -alias codesigncert -storepass <yourstorepwd> -keystore codesignstore

One of the things that I like to do is to "stack" the command to be sure that I work down through the list.

For example, you have from Godaddy:

keytool -import -trustcacerts -keystore codesignstore -storepass <yourstorepwd> -alias codesigncert -file mycert.cer

Then, I take each command and set it up like the following to "walk" down the list:

keytool
-import
-trustcacerts
-keystore codesignstore
-storepass <yourstorepwd>
-alias codesigncert
-file mycert.cer

Then, looking at this list, does my version of keytool support each of these? You have -import as the first..

I just ran keytool -help and I don't see: -import, but do see -importcert

There maybe an issue there?

Oracle shows us.. http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

So, you may have to make some adjustments..

Here is one that I setup on on of our local Apache Tomcat servers (Windows):

%JAVA_HOME%\bin\keytool -delete -alias tomcat -storepass somepass -keystore %JAVA_HOME%\bin\.keystore

And then..

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -validity 1825 -keysize 2048 -keypass somepass -keystore %JAVA_HOME%\bin\.keystore -storepass somepass
What is your first and last name?
  [Unknown]:  secure.someserver.com
What is the name of your organizational unit?
  [Unknown]:  COMPANY
What is the name of your organization?
  [Unknown]:  COMPANY
What is the name of your City or Locality?
  [Unknown]:  ANYTOWN
What is the name of your State or Province?
  [Unknown]:  MI
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=secure.someserver.com, OU=COMPANY, O=COMPANY, L=ANYTOWN, ST=MI, C=US correct?
  [no]:  yes

Note: When you run this, you will not see if it is successful or not.

Let's start here and see what the results are..

回答6:

I found that of the four certificates you get from the godaddy PEM download, the first one is the self-signed root certificate.

To see the chain (on unix):

keytool -printcert -file response-from-godaddy.pem | grep -C1 ^Owner

The response shows the four certificates that make up the chain, all the way to the root.

Certificate[1]:
Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
--
Certificate[2]:
Owner: CN=Go Daddy Root Certificate Authority - G2, OU=https://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
--
Certificate[3]:
Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
--
Certificate[4]:
Owner: CN=REDACTED
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Apparently the first one is already in the Java standard cacerts as the trusted root certificate. The fact that it is in the .pem file trips keytool up.

I struggled with the same problem rekeying a few times, and I got lucky:

• Open up the PEM file.
• Delete the first block of ----BEGIN to ----END,
• Run your keytool -import on the file containing the remaining three certificates.

Presto!

keytool -importcert -v -trustcacerts -keystore XXX -alias codesigning -file 234.pem

Result:

Certificate reply was installed in keystore
[Storing XXX]

回答7:

Here's what I did..

keytool -v -genkey -dname "CN=XXX, OU=YYY, O=ZZZ, L=CCC, ST=SSS, C=US" -alias myKey -keypass abc123 -keystore myKeystore -storepass abc123 -validity 1096 -keyalg RSA -keysize 2048 -sigalg SHA1withRSA

keytool -certreq -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -v -alias myKey -file mycsr.pem -keystore myKeystore -storepass abc123

Submit request (mycsr.pem) to GoDaddy, download PEM file (1b27b7d7a29a06.pem in this case).

The downloaded PEM file contains my signed certificate along with others in the certificate chain. I found keytool would not accept the PEM file as downloaded. I had to remove my certificate from downloaded certificate. I did this via Key Store Explorer (http://keystore-explorer.sourceforge.net/) Use the "Examine a Certificate" option, open the PEM file received from Godaddy (1b27b7d7a29a06.pem) click on the your certificate (not one of the others from GoDaddy), click on "PEM", click on "Export". I named this certificate 1b27b7d7a29a06-mycert.pem.

Download the root (gdroot-g2.crt) and intermediate (gdig2.crt) certificates from GoDaddy (https://certs.godaddy.com/anonymous/repository.pki)

Note that these are/one must use the GoDaddy G2 root and intermediate certificates.

Next install these certificates in this order:

keytool -v -importcert -trustcacerts -keystore myKeystore -storepass abc123 -file gdroot-g2.crt -alias gdroot-g2

keytool -v -importcert -trustcacerts -keystore myKeystore -storepass abc123 -file gdig2.crt -alias gdig2

keytool -v -importcert -keystore myKeystore -storepass abc123 -alias myKey -file 1b27b7d7a29a06-mycert.pem

now you can sign your app:

jarsigner -keystore myKeystore -storepass abc123 -sigalg SHA1withRSA -digestalg SHA-1 time.jar mykey

回答8:

I had the certificate error (CA not trusted) using the Chrome/FF java plugin to deploy an application from my webserver (so not a java applet). Problem was solved for me when adding other Godaddy (intermediate) CA certs to my web server. I created a ticket with godaddy and they responded (quite rapidly)

Dear Sir or Madam,

Thank you for contacting secure certificate support. You will need to use the intermediate certificate bundle with the cross certificate and the G1 root certificate. This will resolve this issue. You can obtain the certificates listed below at https://certs.godaddy.com/repository.

Intermediate certificate bundle - gdig2_bundle.crt Root certificate - gd-class2-root.crt

回答9:

importing the GoDaddy bundle solves the problem:

export JAVA_HOME=/usr/lib/jvm/java-8-oracle/
wget https://certs.godaddy.com/repository/gd_bundle-g2.crt
$JAVA_HOME/bin/keytool -import -alias root -file ./gd_bundle-g2.crt -storepass changeit -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts

回答10:

I have to say,

this whole Java signing bs seems to be a singular method for Java not to die off in favor of better code options.

In reality I think it is killing java. I would rather use any other method of coding (php/flash/etc) then ever use Java again. Way to go Oracle!

来源：https://stackoverflow.com/questions/20896880/how-do-i-import-a-certificate-from-godaddy-for-java-code-signing