Code signing certificate has to be imported from Java console to view Publisher correctly and avoid signature error

0
votes

We have purchased a code signing certificate, and I have signed an Applet jar with this certificate, using the jarsigner command and certificate in .pfx format. But when the applet is loaded in the browser, it shows the "Publisher Unknown" and "digital signature could not be verified" error.If I import the certificate from Java Control Panel -> Security -> Certificates -> Signer CA, the Publisher starts showing up correctly and "Digital signature is verified" message appears.

My question is that as we are signing the jar with a trusted certificate, then why do I have to still import the certificate to see correct results? Shouldn't it show the Publisher correctly/verify signature correctly , even without having to import it?

1
javasecurityappletcertificatecode-signing
"My question is that as we are signing the jar with a trusted certificate, then why do I have to still import the certificate to see correct results?" You should not need to. "Shouldn't it show the Publisher correctly/verify signature correctly , even without having to import it?" Yes. -- Are you certain you have completely cleared the cached versions of the applet from the testing machine? (Or preferably) Can you try it on a machine that has never had the applet installed? -- What exact Java version is the problem machine running?Andrew Thompson
I completely clear the cache from browser and from the java console as well.(Java Console-> temporary internet file -> settings -> Delete files). I am using Java 6, update 20.user3165932
"I am using Java 6, update 20." Why? It is best to keep Java up to date, and Java 6 is obsolete. The last publicly available version of Java 6 was 1.6.0_45, a long way beyond version 1.6.0_20.Andrew Thompson
I sign the jar with java 6 , because that is being used for development in our project. But the client , (browser from which I am accessing the web application) has java 7user3165932

1 Answers

0
votes

My issue got resolved. There was a problem in the certificate (in .pfx format) that I was using to sign the jar. When this certificate was generated from the site of the CA, the checkbox of "Include All Certificates in the path", was not selected. As a result the certificate did not have the complete chain required for signature verification in the applet jar.

The following command can be used to display the details of the certificates in a .pfx file openssl pkcs12 -in <pfx_file_name>.pfx -nodes

The certificate that had an issue, had only 1 certificate listed; while the one generated later had the complete chain of 3 certificates.