I'm trying to sign a jar file using a code signing certificate. The alias name includes some special characters (Turkish characters). The alias name is similar to the following:
bi?li?şi?m teknoloji?leri? eği?ti?m's comodo ca limited id
When I try to sign a jar file, the following error occurres:
Certificate chain not found for: bi?li?şi?m teknoloji?leri? eği?ti?m's
comodo ca limited id. bi?li?şi?m teknoloji?leri? eği?ti?m's comodo ca
limited id must reference a valid KeyStore key entry containing a
private key and corresponding public key certificate chain.
I tried to change the alias name by using keytool (jdk) utility, but again, since the alias name was not found, I couldn't succeed.
When I looked at the details by keytool and I see the entry type is "PrivateKeyEntry", so I don't think this error is about a missing private key.
The problem seems related to unrecognized character issue.
How can I solve this problem and proceed to signing my jar file?
The support team from the certificate company responded to my email. They wanted to renew the certificate without using Turkish characters in the company name. As I guessed, the problem was related to unrecognized characters.
Related
Could you please help me to use JFrog Artifactory certificates feature. (Admin -> Certificates).
I want to add certificate for a maven repository (https://plugins.jenkins.io/repository)
Below are the steps I followed –
Step1: Downloaded the certificate (DER encoded binary X.509) for this repository from chrome browser.
Step2: Converted certificate extension from .cer to .pem. Directly converted extension from .cer to .pem and tried with open ssl also openssl x509 -inform der -in certificate.cer -out certificate.pem
Step3: Add new certificate via (Admin -> Certificates -> New -> Drag and dropped .pem file), Entered Certificate Alias name.
After clicking on Save, I am getting below error –
Certificate could not be added. Unable to read the provided PEM file. Missing private key or certificate.
Other important information –
When I researched more on this error, I found jfrog is expecting certificate and private key both in .pem file. When I am downloading certificate from chrome I am getting only certificate but not private key.
https://jfrog.com/knowledge-base/how-to-resolve-the-certificate-could-not-be-added-unable-to-read-the-provided-pem-file-missing-key-or-certificate/
I have tried the above steps with Base-64 encoded X.509 certificate also but results are same.
What you are doing is adding client certificate.
Meaning that when Artifactory will access a remote repository, it will secure the connection using client certificate.
If your problem is that Artifactory does not trust the certificate exposed by the remote repo (https://plugins.jenkins.io/repository) then you need to follow the directions here:
https://www.jfrog.com/confluence/display/RTF/Using+a+Self-Signed+Certificate
More explanations about the differences:
https://www.websecurity.symantec.com/security-topics/client-certificates-vs-server-certificates
Please elaborate a little bit more about the original problem you had, so we could understand if you are picking the right solution.
Good luck.
Your certificate probably came from a CSR (certificate request)?
You should have a private key within that CSR request file. Simply paste the output CER text (enclosed by ----- BEGIN CERTIFICATE ... -----END CERTIFICATE) - ie your issued certificate, a blank line, then the similar ---- BEGIN PRIVATE KEY ... ---- END PRIVATE KEY section from the CSR into a simple file called < whatever >.PEM and put that into jfrog. I told Jfrog just yesterday that this part is not clear, and could be expressed more simply in their wiki. What its complaining about is the lack of a PRIVATE KEY entry in the PEM. It took me a while to realise this, and where to get it from.
I have a p12 file, 'test.p12,' that has a certificate, the CA cert (self-signed), and private key for the certificate. The p12 file is generated using the BouncyCastle's C# API.
When trying to import the certificate by using 'CertUtil', i.e., 'CertUtil -f -p password -importpfx test.p12,' CertUtil generates the following error:
CertUtil: -importPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
Any clues as to what may be wrong? (I'm using Windows 10)
Using openssl, I can see that 'test.p12' does include the certificate, CA cert, and private key. The certificate is using an EC keypair, but I doubt that's a problem since I have a reference p12 file that uses the same algorithm and is imported by CertUtil without problem. Unfortunately, I have no detail on how the reference file is generated.
In my google searches, many seem to suggest that this may be a permission problem, but I doubt that's the case as I'm running the CertUtil as the Administrator.
When importing the same file using 'MMC' with the certificate snap-ins, the certificate is "successfully" imported if I force the MMC to store it in a specific store, e.g., Personal; otherwise, it prompts to select a Smart Card for the certificate. Could this be a related problem?
Thanks,
--Hyong
A certificate is required to connect my SonarQube server. I have installed the SonarLint plugin, but it does not have any option to add certificates to connect my SonarQube server. It has only URL, username , password options. Is there any way to set certificates ?
SonarLint does not permit the configuration of certificates, but you can add certificate to JRE or JDK.
https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html
Copied text from the Oracle documentation:
Import the Certificate as a Trusted Certificate
Before you can grant the signed code permission to read a specified file, you need to import Susan's certificate as a trusted certificate in your keystore.
Suppose that you have received from Susan
the signed JAR file sCount.jar, which contains the Count.class file, and
the file Example.cer, which contains the public key certificate for the public key corresponding to the private key used to sign the JAR file.
Even though you created these files and they haven't actually been transported anywhere, you can simulate being someone other than the creater and sender, Susan. Pretend that you are now Ray. Acting as Ray, you will create a keystore named exampleraystore and will use it to import the certificate into an entry with an alias of susan.
A keystore is created whenever you use a keytool command specifying a keystore that doesn't yet exist. Thus we can create the exampleraystore and import the certificate via a single keytool command. Do the following in your command window.
Go to the directory containing the public key certificate file Example.cer. (You should actually already be there, since this lesson assumes that you stay in a single directory throughout.)
Type the following command on one line: keytool -import -alias susan -file Example.cer -keystore exampleraystore
Since the keystore doesn't yet exist, it will be created, and you will be prompted for a keystore password; type whatever password you want.
The keytool command will print out the certificate information and ask you to verify it, for example, by comparing the displayed certificate fingerprints with those obtained from another (trusted) source of information. (Each fingerprint is a relatively short number that uniquely and reliably identifies the certificate.) For example, in the real world you might call up Susan and ask her what the fingerprints should be. She can get the fingerprints of the Example.cer file she created by executing the command
keytool -printcert -file Example.cer
If the fingerprints she sees are the same as the ones reported to you by keytool, the certificate has not been modified in transit. In that case you let keytool proceed with placing a trusted certificate entry in the keystore. The entry contains the public key certificate data from the file Example.cer and is assigned the alias susan.
I have run into a similar problem to the on encountered here:
How to sign code (.EXE file) with a .SPC or .PEM file from GoDaddy (using Ubuntu)?
I have used both the MONO signcode tool (https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode) and osslsigncode (http://sourceforge.net/projects/osslsigncode/files/osslsigncode/) and the executables show a digital certificate present signed with "Go Daddy Class 2 Certification Authority". When I view the certificate details it says "No signature was present in the subject" I have tried with the timestamp server and without the timestamp server and there is no difference. I am running the code on Ubuntu Precise and testing on Windows 7.
Suggestions?
I'm experiencing this same issue with a renewed GoDaddy cert.
I'm on Debian v8 / signing a windows EXE. It's a part of a deploy/publish step.
Using the SPC file from last year, it worked well. With both osslsigncode and Mono's signcode.
Now I get security warnings w/ the "No signature was present in the subject"
To FIX
I re-submitted my original CSR, and after receiving the re-re-issued cert I was able to successfully sign using osslsigncode.
Tested with osslsigncode verify <exe-name>
I ended up getting this to work by using the -pkcs12 <pkcs12 file> argument instead of the -cert <certificate file> and -key <key file> arguments. The .pfx file I used was generated from the exact same .spc and .pvk files I was supplying to osslsigncode, but for whatever reason, it worked while they didn't.
The error message "No signature was present in the subject" can be caused by a mismatch between the private key used for signing and the public key in the certificate.
I have a c# program and part of it creates a self-signed certificate.
The problem is when i try to import the certificate in MMC it says "This certificate has an invalid digital signature."
And when i try to add this certificate through command prompt using netsh http add it says:
SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
I've tried all suggestions from other questions similar to this but to no luck.
I've also tried downloading Hotfix from Microsoft but it didnt work.
By the way, my machine is running in Windows7-64bit.
I ran into an answer here The basic issue is that DC authority cert creators get sloppy and create multiple certs for the same DC cert authority. I had my self-signed cert created using latest and grates DC cert authority certificate. I had to export and install both root cert and a self signed cert on my destination machine for it to recognize self signed cert used on the server. But the root cert I exported was a cert with the same name but different dates. Once I located the proper root cert and installed it on my destination computer everything worked flawlessly.
In my case it was due to an old self signed certificate with a small key length.
I found the solution here - https://security.stackexchange.com/a/82606/26742 to reduce the security (only in my dev environment)
certutil -setreg chain\minRSAPubKeyBitLength 512