keytool: keystore creation from cert and jar signing

Hi folks,

I need to sign java jar files.  I was sent a cert.  Unfortunatly it is not as simple as I thought.

I created a new keystore with this cert.

keytool -import -alias aliasName -file javaSigningCert -keypass keypassword -storepass storepassword -trustcacerts -keystore my.keystore

Using the new keystore file, my.keystore, to sign a jar file.

jarsigner -keystore my.keystore -keypass keypassword -storepass storepassword test.jar aliasName

I am getting the following message,

jarsigner: Certificate chain not found for: aliasName.  aliasName must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

What am I doing wrong?  I believe I am missing the certs from the original key pair?

Thanks ahead of time,

Who is Participating?
ShmoidConnect With a Mentor Senior EngineerCommented:
You used the switch "  -trustcacerts  "

Are the Root and Issuing CA's of the cert you obtained listed in the cacerts file located at {java.home}\lib\security

Another possibility is that the cert you were provided had the certificate chain embedded and the -trustedcacerts switch can be left off. You will be prompted to trust the root if it is not already trusted.

By the way, is the cert you received generated from an Internal PKI or is it a 3rd party cert?
jkit001Author Commented:
This is more less a site wide jar signing cert from Verisign.  There are two certs.  I was told that one is a chain.  

I read somewhere that I will need to import the VeriSign's Root cert and maybe an intermediate cert.  I am not sure about the order to build this keystore.
1. Create a keystore by generating a key pair
2. import the VeriSign root cert
3. maybe import the VeriSign intermediate cert
4. last import the sitewide cert

Am I on the right track or did I derailed here?
ShmoidSenior EngineerCommented:
Pretty close, but step 1 is not needed because the signing cert (sitewide) contains the key pair. You've already completed step 4. So you only need to do steps 2 & 3.  The order does not matter so you can use the keystore file you've already created. I'm assuming that the file you received that is a chain is a .p7b file. If so you will need to export the individual certs into seperate files to import into your  keystore.

You should check out Keystore Explorer. It is a free GUI replacement for the Java command-line utilities keytool, jarsigner and jadtool. You can download it from:

With it you can open the keystore you've  already created and verify that the signing cert is there. Then you can import the trusted certs from VeriSign. Import the Verisign root first. It will prompt you that it can't verify the root and ask you to verify it.  Once you import them be sure to save the file.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

jkit001Author Commented:
I probably cannot even use the keystore created in step one because the certificate from Verisign will only work with the same keystore that was initially created for the CSR, which I do not have.

I will give Keystore Explorer a try later today.  I will follow up with my findings.

Also, were you sent the private key, or just the signed public key?  You won't be able to sign JARs unless you have the corresponding private key in the keystore as well as the signed public key and all necessary certs in the chain.
jkit001Author Commented:
Nice tool, Keystore Explorer.  Thanks for the tip.

I was not given the private key just the java signing cert and a java signing chain cert.   Is there a way to recognize a private key from a public key in the keystore file?  I am assuming that I can examine the cert for the common name.  The ones with Verisign should be the public key and the ones with my company's name is private?

It seems that the key here is to have the orginal keystore which was created for the CSR.  I cannot just create a new keystore with the Java Signing/Root/Intermediate certs and expect it to work.  The public key need to pair with the missing private key?  Does this sound reasonable?
ShmoidSenior EngineerCommented:
Yes that is reasonable. When you say you received the java signing cert what exactly did you receive. What type of file? Was it .cer .crt .pfx ?

You don’t necessarily need the original keystore. Just the private key that is paired with the cert that you received.

Since you are dealing with Java and not just PKI in general it might help to have some additional background info.

A key pair can be generated in several different ways. It can be done with OpenSSL, IIS, keytool.exe, KeyStore Explorer, etc. Each vary slightly.  For example, with OpenSSL you can generate the key pair and get the public and private key in separate files.  With IIS it creates the private key but you don’t have immediate access to it via the file system, you only get the public key to be sent for signing.  With keytool.exe and keystore explorer you must specify a keystore for the public and private key to be store in. (This is an important distinction.) Keystores, just like .pfx files are simply containers to hold the key pair. Again, that doesn’t mean the keys must always be in a keystore.

I say all this only to point out that whoever originally created the key pair may or may not have used keytool.exe. They may have the private key in a separate file that can be provided to you so that you can import it into the keystore you’ve already created.
jkit001Author Commented:
Good to know.  Unfortunately the two files do not have a file extension.  I know that they are cert files. I can open them with KeyStore Explorer and examine it as a certificate.  

I found out that the chain file contains the 2 intermediate certs.

So, it looks like I need the original file created during the key pair generation for the CSR.

A hunting I will go.  Thanks all for your great input.  I actually learn a lot.  You folks rock.
ShmoidSenior EngineerCommented:
If hey have it all you need is the private key.  Depending on what tool they used to generate the key pair they may already have it as a seperate file. If not, there should be a keystore file or .pfx file that has both public and private keys. No matter how you obtain it you can always seperate them out and add the private key file to the keystore you created.
jkit001Author Commented:
I did not find the original keystore.  The IT group gave me a valid keystore file to use instead.  I cannot verify the recommendations works or not.  I believe the folks who help out on this question knows what they are talking about.  I know that I was on the right path.  Thanks all.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.