I hope you can help me. I'm about to sign jar-files with a self created certificate using OpenSSL. The jar-File contains an old Java-Applet which Java is blocking (as long as it is not signed) in the browser since version 7.51. Once it is signed, I just have to install the certificate (in the system / browser / JRE).
Right now I have a problem signing the certification request (see below "Step 7"): "unable to load certificate". What do I have to change to pass this step? In addition I am not sure about the further steps (which I also added below). Could you pls also tell me if these are right? Thank you in advance for any help. 1.) Create folder structure cd test mkdir private certs newcerts conf export csr echo '01' > serial touch index.txt export OPENSSL_CONF=/home/joerg/cacerts/myca/openssl.cnf 2.) Create the Certificate Authority openssl req -new -x509 -days 3650 -keyform PEM -outform PEM -keyout test/private/cakey.pem -out test/cacert.pem 3.) Copy the CA into a format which can be managed by the Java-keystore: openssl x509 -outform der -in test/cacert.pem -out test/cacert.crt 4.) Generate Keystore keytool -genkey -keystore javakeystore.jks -alias test 5.) Check Keystore keytool -list -keystore javakeystore.jks -storepass "whatever" Keystore-Typ: JKS Keystore-Provider: SUN Keystore enthält 1 Eintrag test, 13.11.2014, PrivateKeyEntry, Zertifikat-Fingerprint (SHA1): 38:D0:44:2A:35:C8:60:F1:CD:7F:0E:41:6D:E6:DC:23:7C:49:96:23 6.) Create certification request keytool -certreq -v -file test/certs/caRequest.csr -alias "test" -keystore javakeystore.jks -storepass "whatever" 7.) Sign the certificate with the CA openssl ca -days 365 -in test/certs/caRequest.csr -out test/newcerts/caRequest.pem -policy policy_anything Using configuration from /home/joerg/cacerts/myca/openssl.cnf Enter pass phrase for /home/joerg/cacerts/myca/test/private/cakey.pem: unable to load certificate 140116933408416:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE ~~/cacerts/myca$ My plan is to continue like this: 8.) openssl x509 -in test/newcerts/caRequest.pem -out test/newcerts/caRequest.pem -outform PEM 9.) openssl x509 -outform der -in test/newcerts/caRequest.pem -out test/newcerts/caRequest.crt 10.) Concatenate the certificate chain cat test/newcerts/caRequest.pem test/cacert.pem > test/newcerts/caRequest.chain 11.) Indicate that I trust this CA keytool -import -trustcacerts -file test/cacert.pem -alias test -keystore javakeystore.jks -storepass "whatever" 12.) Import it into your keystore keytool -import -file test\newcerts\caRequest.chain -alias test1 -keystore javakeystore.jks -storepass "whatever" 13.) Sign jar file jarsigner -keystore javakeystore.jks TestApplet.jar test
