如何签署Java小程序与.pfx文件？ [英] How to sign java applet with .pfx file?

问题描述

我试图签署与使用本指南 - 我们公司的.pfx证书的罐子小程序存档
（和从互联网上其他几个）：结果
http://www.globalsign.com/support/ordering-guides /SignJava$c$cAppletsPFX.pdf

I was trying to sign a jar applet archive with our company .pfx certificate using this guide
(and few others from the internet):
http://www.globalsign.com/support/ordering-guides/SignJavaCodeAppletsPFX.pdf

一切似乎都很正常，但是当我通过浏览器尝试牛逼运行苹果我看到结果
发布商未知（不可信）。当我去到的细节，我能看到正确的公司介绍
名称和证书供应商（GlobalSign的）。为什么它不能正常显示已知/可信的？

Everything seems to be fine, but when I try t run apple through the browser I see that
'Publisher' is UNKNOWN (untrusted). And when I go to details I'm able to see proper company
name and certificate vendor (GlobalSign). Why it's not properly displayed as known/trusted?

一件事看起来可疑对我来说是命令结果的输出
-verify的jarsigner -verbose -certs Applet.jar：

The one thing which looks suspicious to me is output of command
jarsigner -verify -verbose -certs Applet.jar:

  (...)
  sm      1936 Wed Apr 13 03:00:50 CEST 2011 org/my/Applet.class

  X.509, CN=CompanyName, O=CompanyName, L=Tilst, ST=ProperState, C=DK
  [certificate is valid from 18.02.10 14:58 to 18.02.13 14:58]

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

所以看起来像'K =至少有一个证书密钥库中发现缺少结果
（应该是SMK，这是SM）。难道只签署了一部分？还是什么？

So looks like 'k = at least one certificate was found in keystore' is missing
(should be smk and it is sm). Is it signed only partially? Or what?

有没有可能是由GlobalSign给我.pfx文件是某种错误的结果
上不够applet的签名？对于正常的可执行文件，它正在就好了... ...

Is it possible that .pfx file given to me by GlobalSign is somehow wrong
on not enough to sign applets? For normal executables it was working just fine...

任何想法？ ;）

修改

@Jcs

看起来，你是完全正确的。我检查了我PFX文件使用keytool和获取：

Looks like you are totally right. I checked my PFX file with keytool and I get:

Your keystore contains 1 entry

Alias name: company_alias
Creation date: Apr 13, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:

所以看起来链不完整。结果
我不知道，如果它很重要，但也有例如像一些扩展：

So looks like chain is not complete.
I'm not sure if it matters, but there are also few extensions like for example:

#1: ObjectId: (some_numbers_here) Criticality=true
KeyUsage [
  DigitalSignature
]

#2: ObjectId: (some_numbers_here) Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: (some_numbers_here)
   accessLocation: URIName: http://secure.globalsign.net/cacert/ObjectSign.crt]
]
(...)

问题是：是我的PFX文件完全错误的，或者不知何故，我需要GlobalSign根补充呢？

Question is: is my PFX file totally wrong, or somehow I need to add globalsign root to it?

推荐答案

非常感谢所有人，尤其是JCS :)结果
我终于发现，.pfx文件只是进口不当。结果
我问我的老板与所有可能的路径/连锁/包括证书导入我从头开始，现在，它的工作原理:)结果
因此，如果任何人都会有类似的问题，我的建议是试图让/导入证书再次搜索
- 这是相当具有证书本身比签名方法的问题

Thanks a lot for all, especially Jcs :)
I finally discovered that .pfx file was just imported improperly.
I asked my boss to import it for me from scratch with all possible paths/chains/certificates included and now it works :)
So if anyone will have similar problem my advice is to try to get/import certificate again
- it's rather problem with certificate itself than with signing method.

这篇关于如何签署Java小程序与.pfx文件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！