We help IT Professionals succeed at work.

Java, JDK 1.4.2_16, Certificate chaining error (keystore, truststore)

mhci_nne asked
Hi experts

I have generated a web serive stub client using eclipse (just downloaded the newest version)

My problem is that I have to use a https connection, hence I need to install a GlobalSign Certificate into my java Keytool.
I tried to follow the guideline from http://www.globalsign.com/support/code-signing/codesign_sunjava.html
however I cannot se how I can fulfill it since the "CN" parameter including my email is not excepted?

Here is what I done so far:

%java_home%\bin\keytool -genkey -alias codesigncert -keypass changeit -keyalg RSA -keysize 1024 -dname "CN=localhost,O=telmore" -keystore codesignstore -storepass changeit
%java_home%\bin\keytool -certreq -v -alias codesigncert -file codesigncsr.pem -keystore codesignstore
Enter keystore password:  changeit
Enter key password for <codesigncert>changeit

C:\>more codesigncsr.pem

C:\>%java_home%\bin\keytool -printcert -v -file codesigncsr.pem

sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.pkcs.PKCS7.parse(PKCS7.java:118)
        at sun.security.pkcs.PKCS7.<init>(PKCS7.java:68)
        at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:530)
        at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:407)
        at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:511)
        at sun.security.tools.KeyTool.doPrintCert(KeyTool.java:1021)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:539)
        at sun.security.tools.KeyTool.run(KeyTool.java:124)
        at sun.security.tools.KeyTool.main(KeyTool.java:118)
Caused by: java.io.IOException: X509.ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:134)
        at sun.security.util.DerInputStream.getOID(DerInputStream.java:250)
        at sun.security.pkcs.ContentInfo.<init>(ContentInfo.java:117)
        at sun.security.pkcs.PKCS7.parse(PKCS7.java:136)
        at sun.security.pkcs.PKCS7.parse(PKCS7.java:115)
        ... 8 more
keytool error: java.lang.Exception: Failed to parse input

When I execute the java program I get the following exception:

nested exception is:
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate chaining error

Please help me with getting the VM to accept the certification (so that I can execute the program ).
Watch Question



I believe what you do wrong is using -certreq to create a certificate signing request:
The result of running ketool with -certreq should be send to a certificate authority to be signed. I think you don't want that.

I believe that you will need to sign your certificate yourself (self signed) instead of
using -certreq:
keytool -selfcert -alias mine -keystore some_keystore

More here:

If you can give more information on what plugin were you using to create the
web application we might be able to help you more.


keytool -genkey -keystore some_keystore -alias mine 
keytool -selfcert -alias mine -keystore some_keystore
keytool -list -keystore some_keystore

Open in new window


Hi za-k

Thanks for your reply.
When I asked asked the question I was a little confused about client truststores, but all I needed was to make and import ..... to make it work. Unfortuately I have only made it work on a jdk 1.5 and higher, but I need it to work jdk1.4.2_16 which means that I need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2 see http://java.sun.com/j2se/1.4.2/download.html

I downloaded the file 1201615856781-integrated.jnlp and made sure the following line is inclueded in the java.security file (which is located at C:\java\j2sdk1.4.2_16\jre\lib\security)


My problem is that need help with making it work.
Does anyone know what I should do?



Hi Experts,

By the way I have followed the readme file and done the following:

Here are the installation instruction:

1)  Download the unlimited strength JCE policy files.

2)  Uncompress and extract the downloaded file.

    This will create a subdirectory called jce.
    This directory contains the following files:

        README.txt            This file
        COPYRIGHT.html        Copyright information
        local_policy.jar      Unlimited strength local policy file
        US_export_policy.jar  Unlimited strength US export policy file

3)  Install the unlimited strength policy JAR files.

      To utilize the encryption/decryption functionalities of
      the JCE framework without any limitation, first make a copy of
      the original JCE policy files (US_export_policy.jar and
      local_policy.jar in the standard place for JCE
      jurisdiction policy JAR files) in case you later decide
      to revert to these "strong" versions. Then replace the strong
      policy files with the unlimited strength versions extracted in the
      previous step.

    The standard place for JCE jurisdiction policy JAR files is:

        <java-home>\lib\security         [Win32]
        <java-home>/lib/security         [Solaris]

BR. Michael


Sorry for to tel the that I still get the following error in eclipse using JDK1.4.2_16

nested exception is:
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate chaining error
thus the new US_export_policy.jar & the local_policy.jar doesn't seam to make any difference

Please Help

BR. Michael
Hi Experts

I forgot to update this thread. The problem wasn't the installation of the Java Cryptography Extension (JCE). The provider was not sending the certificate chain correctly.
Certificate1... Certificate2... RootCertificate ....Certificate3....

In JDK1.4.2 it has to be like this:
Certificate1... Certificate2... Certificate3....RootCertificate

Problem solved :-)