I hope you can help me. I'm about to sign jar-files with a self created certificate using OpenSSL. The jar-File contains an old Java-Applet which Java is blocking (as long as it is not signed) in the browser since version 7.51. Once it is signed, I just have to install the certificate (in the system / browser / JRE).
Right now I have a problem signing the certification request (see below "Step 7"): "unable to load certificate". What do I have to change to pass this step? In addition I am not sure about the further steps (which I also added below). Could you pls also tell me if these are right?
Thank you in advance for any help.
1.) Create folder structure
cd test
mkdir private certs newcerts conf export csr
echo '01' > serial
touch index.txt
export OPENSSL_CONF=/home/joerg/cacerts/myca/openssl.cnf
2.) Create the Certificate Authority
openssl req -new -x509 -days 3650 -keyform PEM -outform PEM -keyout test/private/cakey.pem -out test/cacert.pem
3.) Copy the CA into a format which can be managed by the Java-keystore:
openssl x509 -outform der -in test/cacert.pem -out test/cacert.crt
4.) Generate Keystore
keytool -genkey -keystore javakeystore.jks -alias test
5.) Check Keystore
keytool -list -keystore javakeystore.jks -storepass "whatever"
Keystore-Typ: JKS
Keystore-Provider: SUN
Keystore enthält 1 Eintrag
test, 13.11.2014, PrivateKeyEntry,
Zertifikat-Fingerprint (SHA1): 38:D0:44:2A:35:C8:60:F1:CD:7F:0E:41:6D:E6:DC:23:7C:49:96:23
6.) Create certification request
keytool -certreq -v -file test/certs/caRequest.csr -alias "test" -keystore javakeystore.jks -storepass "whatever"
7.) Sign the certificate with the CA
openssl ca -days 365 -in test/certs/caRequest.csr -out test/newcerts/caRequest.pem -policy policy_anything
Using configuration from /home/joerg/cacerts/myca/openssl.cnf
Enter pass phrase for /home/joerg/cacerts/myca/test/private/cakey.pem:
unable to load certificate
140116933408416:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
~/cacerts/myca$
My plan is to continue like this:
8.)
openssl x509 -in test/newcerts/caRequest.pem -out test/newcerts/caRequest.pem -outform PEM
9.)
openssl x509 -outform der -in test/newcerts/caRequest.pem -out test/newcerts/caRequest.crt
10.) Concatenate the certificate chain
cat test/newcerts/caRequest.pem test/cacert.pem > test/newcerts/caRequest.chain
11.) Indicate that I trust this CA
keytool -import -trustcacerts -file test/cacert.pem -alias test -keystore javakeystore.jks -storepass "whatever"
12.) Import it into your keystore
keytool -import -file test\newcerts\caRequest.chain -alias test1 -keystore javakeystore.jks -storepass "whatever"
13.) Sign jar file
jarsigner -keystore javakeystore.jks TestApplet.jar test