如何从GoDaddy导入证书以进行Java代码签名? [英] How do I Import a Certificate from GoDaddy for Java Code Signing?
问题描述
我需要能够使用CA的证书签署jar文件。
I need to be able to sign jar files with a certificate from a CA.
我按照GoDaddy文档中关于如何执行此操作的说明:
http://support.godaddy.com/help/article/4780/signing-java-code
I following the instructions from GoDaddy's documentation on how to do this: http://support.godaddy.com/help/article/4780/signing-java-code
但是,步骤3要求导入从GoDaddy的网站获取的cert文件。根据文档,命令是:
However, step 3 requires importing a cert file obtained from GoDaddy's web site. Per the documentation, the command is:
keytool -import -trustcacerts -keystore codesignstore -storepass <yourstorepwd> -alias codesigncert -file mycert.cer
虽然我成功提交了CSR(由keytool生成)一个响应,我不能为我的生活搞清楚如何获取mycert.cer文件。有一个选项来下载PEM文件。但在运行上面的命令后,我得到错误keytool错误:java.lang.Exception:不完全的证书链在回复。我试过这个多次,并仔细检查我使用正确的密钥库。我甚至尝试重新键入使用SSH-1一次,然后SSH-2的时间。根据此人(签署Jar - 签名者的证书链未经过验证),他们至少能够成功导入PEM文件。但我不知道这是否是正确的方法。
Although I successfully submit the CSR (generated by keytool) and get a response, I can't for the life of me figure out how to get the mycert.cer file. There is an option to download a PEM file. But after running the above command, I get the error "keytool error: java.lang.Exception: Incomplete certificate chain in reply". I've tried this multiple times, and double-checked I'm using the proper keystore. I've even tried re-keying using both SSH-1 one time, and then SSH-2 the other time. According to this person (Signing a Jar - The signer's certificate chain is not validated), they were able to at least successfully import the PEM file. But I'm not sure if this is even the right approach.
GoDaddy的技术支持是绝对可怕的。我谈过的大多数技术都不熟悉keytool,它花了我几次尝试调用他们之前,他们转发到他们的SSL部门(480-505-8852),这是至少略优于一般支持。
GoDaddy's tech support has been absolutely dreadful. Most of the techs I've talked to aren't familiar with keytool at all, and it took me several tries calling them before they forwarded me to their SSL department (480-505-8852), which is at least marginally better than general support.
如果我使用Internet Explorer或Firefox,我相信我可以自动生成CSR,而不是通过键盘工具创建。然后,我将通过Web浏览器导出证书。从阅读各种其他在线文档,我相信我可以使用openssl来转换为正确的格式为keytool。我不确定如何这将工作的细节,但我没有看到任何其他选项。
If I use Internet Explorer or Firefox, I believe I can automatically generate a CSR instead of creating one through key tool. Then I'd export the certificate through the web browser. From reading various other online documents, I believe I could then use openssl to convert to the proper format for keytool. I'm not sure on the details of how this will work yet, but I don't see any other options.
任何人已经成功与此或有任何指针如何进行?我在这里找到了一个类似的问题(签署一个Java小程序一个来自GoDaddy的spc文件),但答案只是指向GoDaddy的差文档。如果可以的话,我会使用另一个CA,但是我已经支付了这笔钱,并经过了长时间的抽取验证过程。
Has anyone been successful with this or have any pointers on how to proceed? I found a similar question here (Signing a java applet with an spc file from GoDaddy), but the answer simply points me to GoDaddy's poor documentation. I would use a another CA if I could, but I've already paid the money and gone through the long, drawn-out verification process.
推荐答案
解决方法是联系GoDaddy并让他们重新颁发您的组织的证书。在证书设置过程中,您必须选择SHA-1代码签名证书而不是SHA-2。选择SHA-1的选项只有在证书有效性不会延长到2016年(见下文)时才可用,因此确保他们了解您的最终目标是将SHA-2证书重新创建为SHA-1,
我今天为SHA-1交易了SHA-2证书,并且 GoDaddy的Java代码签名说明工作完美。
I traded my SHA-2 cert for a SHA-1 today, and GoDaddy's Java Code Signing instructions worked perfectly.
GoDaddy通知我Keytool可能有麻烦导入从他们的SHA-2(2048长度)codesign证书生成的证书响应链。
GoDaddy informed me Keytool may have trouble importing a certificate response chain generated from their SHA-2 (2048 length) codesign certificate. I withhold judgment of Keytool since it imports SHA-2 certs fine when the GoDaddy's root SHA1 cert is lopped from the pem file per @mogsie's answer.
GoDaddy与SHA-2证书一起使用时,我拒绝对Keytool的判断,因为它输入SHA-2证书时,GoDaddy的根SHA1证书从pem文件中丢失。 2自动授予代码签名证书,将延长到2017年,因为Microsoft不会接受小于SHA-2开头 2016年1月1日,所以如果你在市场上有SHA-1证书,它将具有短期有效性。
GoDaddy goes with SHA-2 automatically when it grants codesign certificates that will extend into 2017 because Microsoft will not accept less than SHA-2 beginning January 1, 2016, so if you're in the market for a SHA-1 certificate, it will have short-term validity.
使用Java Keytool更新(我使用1.6)或者GoDaddy的Sha256withRSA自签名证书变得广泛信任,问题可能会消失。
The issue might go away with a Java Keytool update (I was working with 1.6), or if GoDaddy's Sha256withRSA self-signed certificate becomes widely trusted.
这篇关于如何从GoDaddy导入证书以进行Java代码签名?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
