I need to be able to sign jar files with a certificate from a CA.
I following the instructions from GoDaddy's documentation on how to do this: http://support.godaddy.com/help/article/4780/signing-java-code
However, step 3 requires importing a cert file obtained from GoDaddy's web site. Per the documentation, the command is:
keytool -import -trustcacerts -keystore codesignstore -storepass <yourstorepwd> -alias codesigncert -file mycert.cer
Although I successfully submit the CSR (generated by keytool) and get a response, I can't for the life of me figure out how to get the mycert.cer file. There is an option to download a PEM file. But after running the above command, I get the error "keytool error: java.lang.Exception: Incomplete certificate chain in reply". I've tried this multiple times, and double-checked I'm using the proper keystore. I've even tried re-keying using both SSH-1 one time, and then SSH-2 the other time. According to this person (https://stackoverflow.com/questions/20793254/signing-a-jar-the-signers-certificate-chain-is-not-validated?rq=1), they were able to at least successfully import the PEM file. But I'm not sure if this is even the right approach.
GoDaddy's tech support has been absolutely dreadful. Most of the techs I've talked to aren't familiar with keytool at all, and it took me several tries calling them before they forwarded me to their SSL department (480-505-8852), which is at least marginally better than general support.
If I use Internet Explorer or Firefox, I believe I can automatically generate a CSR instead of creating one through key tool. Then I'd export the certificate through the web browser. From reading various other online documents, I believe I could then use openssl to convert to the proper format for keytool. I'm not sure on the details of how this will work yet, but I don't see any other options.
Has anyone been successful with this or have any pointers on how to proceed? I found a similar question here (Signing a java applet with an spc file from GoDaddy), but the answer simply points me to GoDaddy's poor documentation. I would use a another CA if I could, but I've already paid the money and gone through the long, drawn-out verification process.
The workaround is to contact GoDaddy and have them reissue your organization's certificate. During the certificate setup process, you must select a SHA-1 codesign certificate instead of SHA-2. The option to select SHA-1 will only be available if you certificate validity does not extend to 2016 (see below), so make sure they understand your end goal is to recreate your SHA-2 certificate as SHA-1, so they know to sell you a cert with the correct validity period.
I traded my SHA-2 cert for a SHA-1 today, and GoDaddy's Java Code Signing instructions worked perfectly.
GoDaddy informed me Keytool may have trouble importing a certificate response chain generated from their SHA-2 (2048 length) codesign certificate. I withhold judgment of Keytool since it imports SHA-2 certs fine when the GoDaddy's root SHA1 cert is lopped from the pem file per @mogsie's answer.
GoDaddy goes with SHA-2 automatically when it grants codesign certificates that will extend into 2017 because Microsoft will not accept less than SHA-2 beginning January 1, 2016, so if you're in the market for a SHA-1 certificate, it will have short-term validity.
The issue might go away with a Java Keytool update (I was working with 1.6), or if GoDaddy's Sha256withRSA self-signed certificate becomes widely trusted.