jar signing code failed.

Hello Erman,

hope you are fine there, following a   Doc ID 1591073.1 are following for JAR signing .


Jar signing import are failed.

keytool -import -file adkeystore.csr -trustcacerts -alias test_ebs12 -keystore adkeystore.dat

Enter keystore password:

Enter key password for

keytool error: java.security.cert.CertificateParsingException: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 49)



After that try import for different method.


$ adjkey -import -file adkeystore.csr –trustcacerts

Reading product information from file...



Reading language and territory information from file...



Reading language information from applUS.txt ...



Enter the APPS username: apps



Enter the APPS password:



Successfully created javaVersionFile.

ERROR: Invalid parameter count for -import option



Kindly assist us to successfully import the Jar signing.

Regards,
Naseem

Seems like there is something wrong with that certificate.

What kind of certificate is that?
How did you sign this certificate?
It must not be an SSL certificate! as you know.. It should be a code signing certificate.

Did you follow the documnent 1591073.1 line by line? So did you do all the stuff like creating csr and so on?

Also, check your CSR and check your certificate with your Security admin..  Ensure that no attribute value in the certificate obtained from a CA contains a problematic character.

Hi,

We are followed the exact same note 1591073.1 but I have to clear few things.

Before jre sign coding, upgraded   jdk version 6 to jdk 7 and also jre plugin version 1.6.7 to new jre 8 plugin.

But after both upgrade Firefox & IE popup messages are appeared, as per the note we have to complete JAR Signing code for prevent that messages.

I show you the high level steps for jar signing.

a)  adjkey -initialize -keysize 2048  -alias test_ebs12

adjkey is complete.

b) keytool -sigalg SHA256withRSA -certreq -keystore /d01/oracle/TEST/apps/apps_st/appl/admin/adkeystore.dat -file /d01/oracle/TEST/apps/apps_st/appl/admin/adkeystore.crt -test_ebs12

it has generated adkeystore.crt


c)  third & last step to import adkeystore.crt file .

keytool -import -file adkeystore.csr -trustcacerts -alias test_ebs12 -keystore adkeystore.dat


here it is failed.


Make sure I have implemented first time the jar signing code, so these steps I have to followed from note 1591073.1

Is it required any extra certificate  , as you have mentioned to check with security Admin .

please explain in details.

Thanks,
Naseem

Okay, I understand the need..

1) The CSR creation command you send in your last update is wrong. There should be an -alias argument.
keytool -sigalg SHA256withRSA -certreq -keystore <JRI_DATA_LOC>/adkeystore.dat -file <JRI_DATA_LOC>/adkeystore.csr -alias <alias_name>
2) adkeystore.crs is better.. -- you said adkeystore.crt
3)Don't you have a root certificate to import?
4)As for other certificates that might be needed; it depends your own certificate type ->

In general, only customers using their own in-house certificate authority will need to import their 'root certificate' into the Java public keystore, cacerts, therefore most users will probably not need to touch this keystore.

All users will need to import their 'Java code signing certificate' and if the certificate chain of trust includes them, any 'intermediate certificates' into the keystore, adkeystore.dat.

5)Note that -> Whenever you upgrade your jdk version on the server any additional certificates you have added to your cacerts file will be lost. You will need to re-import the root certificate or keep a copy of your original cacerts file which you can copy back in.

6) As I mentioned in my last update; check your CSR and check your coding certificate with your Security admin..  Ensure that no attribute value in the certificate obtained from a CA contains a problematic character. Actually, it is better to do a general control in signing process + the certificate produced by it.

Hi,

thank you for your reply, as i understand there is 3 types of certificates need to be import, right?

Root Certificate ---> From where is the location of root certificate , is it default file need to import.?

i have checked with our Security admin , he has no idea about Code signing certificate, so i have to be handle  by myself.

after creation to keystore.data & keystore.csr , Keystore.csr to send the CA Authority to sign it and they will  send back to us for Jar signing.

kindly advice.

Regards,
Naseem