问题
We have Microsoft Authenticode certificates purchased from Thawte (.cer, pvk and spc files) and want to reuse them to sign java jar files. see http://www.thawte.com/code-signing/index.html In other words, I do not want to make a second (and unnecessary) purchase - to buy the Java code signing certs also listed below on that page. Note: Thawte allows this but will not support it.
Thawte_Code_Signing_Intermediate_CA.cer, Thawte_Primary_Intermediate_Root_CA.cer, Thawte_Primary_Root_CA_Cross.cer
I have the pvk and spc files.
How do I import the private and public keys and certificates into the keystore?
Following the steps here http://docs.oracle.com/javase/tutorial/security/toolsign/signer.html
keytool -import -trustcacerts -keystore mykeystore -alias primary_root -file Thawte_Primary_Root_CA_Cross.cer
keytool -import -trustcacerts -keystore mykeystore -alias intermediate_root -file Thawte_Primary_Intermediate_Root_CA.cer
keytool -import -trustcacerts -keystore mykeystore -alias myalias -file Thawte_Primary_Intermediate_Root_CA.cer
Trying to use Netbeans7.3 to sign the jar by pointing it to the keystore and doing a build produces:
jarsigner: Certificate chain not found for: primary_root. primary_root must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
I realize I must import the private and public keys and certificates into the keystore, but it is not clear how. Posts like this talk of .crt files, so it does not seem the same thing. https://stackoverflow.com/a/8224863/398348 also https://stackoverflow.com/a/9131421/398348
unable to load PKCS7 object
回答1:
More details would help, however the files you list here seem to be CA certificate chain certificates e.g. none of the file names seem to indicate that it contains a code signing certificate. Guessing from your file names, you need to import the .spc and .pvk file to the keystore.
You have to have access to an OpenSSL command line tool to do that. Either use Linux/Unix machine or install CygWin to get access to it.
Convert spc file to a more sane format:
openssl pkcs7 -inform DER -in mycert.spc -print_certs -out mycert.crt
Use OpenSSL to convert keypair (correct .crt and corresponding .pvk file) to a PKCS#12 keystore
openssl pkcs12 -export -in mycert.crt -inkey mycert.pvk \
-out mycert.p12 -name some-alias
Convert PKCS#12 format file into Java keystore format
keytool -importkeystore \
-deststorepass changeit -destkeypass changeit -destkeystore mycert.keystore \
-srckeystore mycert.p12 -srcstoretype PKCS12 -srcstorepass some-password \
-alias some-alias
See also:
http://www.drh-consultancy.demon.co.uk/pkcs12faq.html
importing an existing x509 certificate and private key in Java keystore to use in ssl
回答2:
It is clear that you type wrong alias "primary_root" when trying to sign your jar.
Check your alias, using
keytool.exe -list -keystore YOUR_KEYSTORE -storetype YOUR_STORE_TYPE
来源:https://stackoverflow.com/questions/17625174/how-do-i-import-the-private-and-public-keys-pvk-spc-and-certificates-cer-int