How do I Import a Certificate from GoDaddy for Java Code Signing?
The workaround is to contact GoDaddy and have them reissue your organization's certificate. During the certificate setup process, you must select a SHA-1 codesign certificate instead of SHA-2. The option to select SHA-1 will only be available if you certificate validity does not extend to 2016 (see below), so make sure they understand your end goal is to recreate your SHA-2 certificate as SHA-1, so they know to sell you a cert with the correct validity period.
I traded my SHA-2 cert for a SHA-1 today, and GoDaddy's Java Code Signing instructions worked perfectly.
GoDaddy informed me Keytool may have trouble importing a certificate response chain generated from their SHA-2 (2048 length) codesign certificate. I withhold judgment of Keytool since it imports SHA-2 certs fine when the GoDaddy's root SHA1 cert is lopped from the pem file per @mogsie's answer.
GoDaddy goes with SHA-2 automatically when it grants codesign certificates that will extend into 2017 because Microsoft will not accept less than SHA-2 beginning January 1, 2016, so if you're in the market for a SHA-1 certificate, it will have short-term validity.
The issue might go away with a Java Keytool update (I was working with 1.6), or if GoDaddy's Sha256withRSA self-signed certificate becomes widely trusted.
The answer, as mentioned by Waterbear, is to have your GoDaddy cert reissued or rekeyed by GoDaddy using SHA-1
. The reason is that GoDaddy has two CA servers: Class 2 CA
which is used for signing SHA-1
certificates, and G2 CA
which is used for signing SHA-2
certificates. While the older Class 2 CA
is trusted by the Java Truststore (and thus SHA-1 certificates
are trusted), the newer G2 CA
is not, so its SHA-2
certificates are not trusted unless you manually install its root certificate (which defeats the purpose of buying a cert in the first place). Hopefully GoDaddy's G2 CA
becomes trusted by the Java Truststore soon (Before 2016!), but until that happens a GoDaddy SHA-2
cert is no better than a self-signed cert.
Since I enjoyed (not) the process of creating a codesinging certificate so much, I thought I would share the process I went thru, and hopefully when you need to generate your own, this will save you some of the heartache and pain .
I used godaddy , but I have to believe whoever the CA is the steps should be very similar.
These are the steps I went thru:
(note that godaddy does not create a codesigning certificate in jks format and there is an extra step involved to convert the keystore to jks)
Create keystore:
keytool -genkey -alias codesigncert -keypass yourpassword -keyalg RSA - keysize 2048 -dname "cn=server1.lccc.edu, OU=College Name , O=College Name , L=Schnecksville, ST=Pennsylvania,C=US" - keystore /home/oracle/codesignstore/codesignstore -storepass yourpassword -validity 720 (storepass and keypass can be the same)
Generater crt for godaddy
keytool -certreq -v -alias codesigncert - file /home/oracle/codesignstore/codesignstore.pem - keystore /home/oracle/codesignstore/codesignstore
using an editor open codesignstore.pem and paste it into the godaddy site
when godaddy verifies the account and you pay your money the 'pending' status will go away
go to your godaddy account (https://mya.godaddy.com/)
click on myaccount at the top of the page (in the black header)
click on manage SSL Certificates
select the codesigning certificate listed
click on the Launch button
download the file as a PEM file
save it on your local pc
open firefox, in the advanced section select view certificates, and the
certificate should be listed on the managed views.
highlight the certificate and select backup (export) and save it as a pkcs12 file
click on view certificates at the top of the screen next to certificate viewer is the alias in double quotes, right this down it will be the alias to be used on the jarsigner command below
copy the file to the server where the codesigning certificate is going to be
used: (e.g server1 /home/oracle/code_sign_cert_from_godaddy/ godaddy_pkcs12.p12) * this is the new keystore
since the keystore has to be of the type jks, and godaddy does't create a jks file it has to be converted to jks format
convert pcks12 to jks
keytool -importkeystore - srckeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_pkcs12. p12 -srcstoretype pkcs12 - destkeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks -deststoretype jks
jar file processing:
unsign jacob.jar... i copied the jacob.jar file to a test directory /test_jacob and renamed it jacob1.jar (note 760815.1)
jar xf jacob1.jar
extracts into "com" and "META-INF" folders, remove the "META-INF" folder
remove the old jacob1.jar
recreate the jacob1.jar from the /test_jacob directory
jar -cvf jacob1.jar *
run jarsigner -verify jacob1.jar, should show unisigned.
create a text file call mymanifest.txt
Permissions: all-permissions
Codebase: *
Application-Name: OracleForms
jar -ufm jacob1.jar mymanifest.txt (this puts the new manifest info into the jar file)..
you can open jacob1.jar with the unzip jacob1.jar -d directory where unzip will reside to verify that the mymanifest.txt file is now part of the jar file.
sign jar file
jarsigner - keystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks - storepass yourpassword - signedjar /home/oracle/Oracle/Middleware/Oracle_FRHome1/forms/java/tes t_jacob/Signedjacob1.jar jacob1.jar "lehigh carbon community college's godaddy.com, inc. id" (this alias came from the firefox process above)
the -signedjar file option was required, without it I was getting errors
note the alias is always the last entry on the jarsigner command and
there is no –alias option as there was on the keytool command
verify jar file is signed
jarsigner -verify Signedjacob1.jar will display:
jar verified.
show whats in the jar file
jar -tvf Signedjacob1.jar
the .SF file is insided the .jar file, the .DSA file is replaced by the .RSA
file which is also inside the .jar file
from the output of the jar -tvf Signedjacob1.jar
2721 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.SF
4231 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.RSA
I copied the Signedjacob1.jar file to the $ORACLE_HOME/forms/java directory and then using the
login to the weblogic enterprise manager
I changed the webutilarchive parameter from Jacob.jar to Signedjacob1.jar for each instance
( em >>forms>>web configuration >> instance name >> all (the first entry should be the archive parameter)
When changing the jacob.jar to the Signedjacob1.jar , I did it for each of my test instances before I did it for production, just in case.
Stop and start wls_forms and you should be good to go..