Applocker and expired code signing certificates

Similar Messages

• Managing Windows Phone's and Symantec Code Signing certificate

  Hi,
  We need to renew the code signing certificate from Symantec. However, we only use it to manage the Windows Phone devices and don't publish apps. Do we still need to spend $300 on renewing this cert? Can't I manage them for free like our iOS and Android devices?

  You REQUIRE the Symantec Code Signing Certificate to manage Windows Phones via Windows Intune. This is a requirement of the device rather than the management solution.
  You CAN manage Windows Phones without this cert using only Exchange active sync management in Intune. However this management is very basic and has no advanced features (basically the features provided by Exchange rather than Intune).
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• Renew code signing certificate mountain lion server

  Hello to all
  Can you please let me know if there is a way to renew the self code signing certificate for server WITHOUT re enroll all devices?
  We have 500 iPads enrolled and the code signing certificate expires in 2 weeks...
  So it's really critical not to re enroll all devices .
  Is there any way to do this?
  Thank you for you help.

  When I put this in I am just getting the following response
  Usage: certadmin
      --get-private-key-passphrase [path]    
        Retrieve the passphrase for the private key at [path] from the keychain
      --default-certificate-path
        Retrieve the full path for the default certificate
      --default-certificate-authority-chain-path
        Retrieve the full path for the default certificate authority chain
      --default-private-key-path
        Retrieve the full path for the default private key
      --default-concatenation-path
        Retrieve the full path for the default certificate + private key concatenation
      --create-default-self-signed-identity
        Creates a default self signed identity (certificate + private key) using the hostname
      --recreate-self-signed-certificate subject serial_number
        Recreate an existing self signed certificate
      --recreate-CA-signed-certificate subject issuer serial_number
        Recreate an existing certificate signed by an OpenDirectory CA
  where you have "192173c1c is this meant to be the serial number?

• Code Signing certificate expired

  Hello,
  I please need an information about SGDEE 4.1 login applet: it seems
  applet code signing certificate was expired on September 2, 2005.
  I have no problem (after I deleted all expired root certificates from
  local client repository) with Internet Explorer 6SP1, but Mozilla Firefox
  always prompt me a warning with this contents:
  Serial:     
  [62374265099632433790334794162326322759]
  Issuer:
  N=VeriSign Class 3 Code Signing 2001 CA,
  OU=Terms of use at https://www.verisign.com/rpa (c)01,
  OU=VeriSign Trust Network,
  O="VeriSign, Inc."
  Valid From: Wed Sep 01 02:00:00 CEST 2004,
  To: Fri Sep 02 01:59:59 CEST 2005
  Subject:
  CN="Tarantella, Inc.",
  OU=Digital ID Class 3 - Netscape Object Signing,
  O="Tarantella, Inc.",
  L=Santa Cruz,
  ST=California,
  C=US
  Thank you very much in advance,
  Best Regards,
  Valerio Morozzo

  I know this is an older post, but it helped me find out how to make the migration procedure for native installer. I tried it with self signed certificate created by ADT tool and everything went fine.
  But now, we obtained a commercial AIR signing certificate from Thawte and the process failes in step 3) ADT saying
  'Certificate in PATH_TO_P12 could not be used to sign setup.msi' on Windows.
  On mac, it says that signing native installer on OSX is not supported, so I skipped the signing option in step 3) and it worked fine.
  I can skip the signing option on Windows as well and the process succeeds, but running the installer on machines with previous versions of application results in "Installer mis-configured' error message - the same error as if the migration process was not applied.
  I already contacted Thawte if it is a certificate issue, reply from them was 'AIR certificate can only sign .air applications'. But when I build a native application directly from FlashBuilder and sign it with the Thawte certificate the whole process seem to succeed. The application can be installed on machines without previous version of the application. Those who already have the older version get the 'Installer mis-configured' error message.
  I want to mark out again, that the same process but with a self signed certificate created with ADT, is successfull and the application can be installer as an update on machines with older version of the app. So I assume the workflow is correct.
  Any ideas? Or somebody having the same issue?
  Thanks

• Adobe AIR 3 Performance Issues and Code Signing Certificate Problem

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

• Differences between SSL and Code-Signing Certificates

  Hello,
  I unsuccessfully tried to use a SSL - certificate for signing an applet (converting from X.509 to PKCS12 prior to signing) and learned, that SSL certificates and code-signing certificates are different things (after seeking the web for ours). Can somebody point out some source of information about this topic ? What are these differences ? Can I convert my SSL certificate into a code-signing certificate ?
  Things got even more confusing for me, since my first attempt with an wrongly converted SSL cetificate (I used my public and private key for conversion only, omitting the complete chain) at least worked partly: the certificate was accepted, but marked as coming from some untrustworthy organisation. After making a correct conversion (with the complete chain) the java plugin rejected the certificate completely ...
  Ulf

  yep, looks like it.
  keytool can be used with v3 x509 stores:
  Using keytool, it is possible to display, import, and export X.509 v1, v2, and v3 certificates stored as files, and to generate new self-signed v1 certificates. For examples, see the "EXAMPLES" section of the keytool documentation ( for Solaris ) ( for Windows ).
  jarsigner needs a keystore so I would assume public and private key pair.
  you could list the keys from your store:
  C:\temp>keytool -list -keystore serverkeys.key
  Enter keystore password: storepass
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 2 entries
  client, Jul 5, 2005, trustedCertEntry,
  Certificate fingerprint (MD5): 13:50:77:64:94:36:2E:18:00:4B:90:65:D0:26:22:C8
  server, Jul 5, 2005, keyEntry,
  Certificate fingerprint (MD5): 20:90:49:6F:46:BA:AB:11:75:39:9F:6F:29:1F:AB:58
  The server is the private key, this can be used with jarsigner (alias option).
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar client
  jarsigner: Certificate chain not found for: client. client must reference a val
  id KeyStore key entry containing a private key and corresponding public key cert
  ificate chain.
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar server

• Adobe code signing certificate revocation and SCCM

  We have many install packages for different Adobe products in SCCM 2007 but nothing that would have been obtained or downloaded from Adobe since July 10, 2012.  Does that mean we don’t have to do anything?  Is that a correct interpretation of your statements about the Adobe code signing certificate revocation issue?

  Yes.  That's correct.

• Adobe Pro 11.0.10 patch has expired code signing cert

  I can not patch my Adobe 11.0.0 installation to 11.0.10 using the automated process.
  I manually downloaded 11.0.10 from this location: http://ardownload.adobe.com/pub/adobe/acrobat/win/11.x/11.0.10/misc/AcrobatUpd11010.msp
  The MD5 of this MSP per my own check is 4cb5979f49bc5112731da0cce036ac66, while the SHA1 is 8b4130df183f69ab77f9f6748f2e535be5d3336e.
  This download is signed with a code signing certificate issued by Symantec Class 3 Extended Validation Code Signing CA.  The signature has a thumbprint of 111aa9b0c6da43594bb2ad3052567c12ef8d9607.  This certificate expires later this year.
  During the install I receive an error because it extracts a file to c:\config.msi which is code signed with a code signing certificate issued by Verisign Class 3 Code Signing 2010 CA.  The certificate has a thumbprint of 70d566df844f3e2d9ac31e518256e7b6f2de9272.  The certificate expired 9/20/2013.  Today is 5/4/2015.  The install fails on this file.
  The certificate thumbprint for the Verisign Class 3 Code Signing 2010 CA intermediate authority is 495847a93187cfb8c71f840cb7b41497ad95c64f.   This itself is signed by VeriSign Class 3 Public Primary Certification Authority - G5 having a thumbprint of 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5.
  The failing file with the invalid code signing certificate has an MD5 checksum of bddf785233f9d2b3ae43d72822fb74bc and SHA1 of 78e7e15c8baea3c6befc7336d153254777912bd4.  This appears to be amtlib.dll which is part of Adobe AMT Licensing.   These hashes are available on services such as Virus Total and Herd Protect.
  Would it be possible for Adobe to release a 11.0.11 patch that has this issue fixed?  
  Thank you,
  Edwin Davidson.

  Back up all data.
  Launch the Font Book application and validate all fonts. You must select the fonts in order to validate them. See the built-in help and this support article for instructions. If Font Book finds any issues, resolve them.
  From the application's menu bar, select
  File ▹ Restore Standard Fonts...
  You'll be prompted to confirm, and then to enter your administrator login password.
  Start up in safe mode to rebuild the font caches. Restart as usual and test.
  Note: If FileVault is enabled, or if a firmware password is set, or if the startup volume is a Fusion Drive or a software RAID, you can’t start in safe mode. In that case, ask for instructions.
  Also note that if you deactivate or remove any built-in fonts, for instance by using a third-party font manager, the system may become unstable.

• Java security error after 8u31 (Timestamped Jarsigned Applet within valid period of Code Signing certificate)

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

• Renew my code sign certificate?

  I run a Mavericks server that serves profile manager, file, and time machine services. My code sign cert expires in a couple weeks. When you go into Server.app > Certificates and double click on it, there isn't a "Renew" button like there is for other certs I've renewed.
  How would I renew this? And what impact would it have on my running services (ie. would I have to re-enroll everyone in profile manager)? Thank you.

  Does OS X Server: Renewing Profile Manager's code signing certificate - Apple Support help?

• Code-signing Certificate Provider for Mavericks Server?

  Our Digicert Code Signing Certificate [which worked fine in Mountain Lion Server but doesn't work in Mavericks Server no matter what I try] is about to expire, and I'm wondering if anyone could recommend a vendor whose code-signing certificates definitely work with Mavericks Server?

  I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
  Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
  In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
  If you have already imported it via Keychain Access just delete it from your Keychain and try again.
  With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.

• Code Signing Certificate Renewal for Profile Manager

  Currently we have around 800 ipods/iphones around the globe that were all enrolled into our Profile Manager in the past year.  In one month our Code Signing Certificate will expire on ALL of those devices.  I have updated the certificate on our Profile Manager server and installed that into the Profile Manager.
  How do I update all of the devices in the field with the new certificate?  It is not possible for every one of those devices to be re-enrolled.  These are systems that we give to our customers to use for a specific purpose and they have no clue how to do anything with the MDM or the profile manager.  Apple - this wasn't well thought out...

  After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
  Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already. 
  Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap.  (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
  If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
  {FWIW, this is a user forum and the folks from Apple may or may not see your report.  If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

• Profile Manager Code Signing Certificate from GoDaddy .spc

  Convert the .spc to .cer for Profile Manager compatability.
  Thought I'd share how to convert a code signing certificate acquired from go daddy as it downloads as a .spc file that Profile manager will not accept.
  When you download your code signing certificate from go daddy it will be a .spc file as stated above, and profile manager needs a .cer file.
  Take your .zip file over to a Windows 7 or better PC and double-click the .zip file.
  Then double-click the enclosed certificate.
  This will open the windows certmgr.
  Expand the certificate and locate your certificate (Should be the one with your company name )
  Right-Click the desired certificate, select all tasks, then Export
  Export the certificate as a DER .cer file.
  Now copy the exported .cer certificate to your Server App/Certificates and import it into the Pending Certificate.
  Once that's done also add the .cer certificate to your keychain.
  Remember to replace the expiring certificate if applicable
  LJS

  After loading the new certificates into the OS X Server box, the client devices will have to use the Profile Manager User Portal to load the updates.
  Here is the Apple documentation on updating the Profile Manager certificate (HT5358), though you may well have found that document already. 
  Unfortunately, the users have to navigate to the portal for that, or you'll have to manage a short-notice device swap.  (If it were even possible here, I'm not sure I'd want folks loading new certs via email, either...)
  If the existing Profile Manager solution doesn't meet your particular needs, then there are alternative MDM solutions around from other vendors, and that are also compatible with the OS X Server and iOS provisioning mechanisms.
  {FWIW, this is a user forum and the folks from Apple may or may not see your report.  If you have acccess to it, the Apple bugreport tool is a common way to log an enhancement request that the folks from Apple will see.}

• How to use Java code signing certificate in oracle 11i

  Hello,
  I am try to configure java code signing certificate in 11.5.10.2 application. we got java sign certificate from verisgin. SA's imported the certificate and created alias XXX_XXX with password and passphrase.
  I am able to see the my certificate. keytool -list -v -keystore xxx_xxxx.jks -storepass Password.
  how do I use it. I am using Enhance Jar Signing for EBS DOC ID 1591073.1.
  could you please give me some advice on it?
  Thanks
  Prince

  Hussien,
  I find out apps keystore keypassword and storepassword, I imported the java code sign certificate. I generated Jar files through adadmin, but I am getting  warning error
  adogif() unable to generate Jar Filers under JAVA_TOP.
  executing /usr/jdk/jdk1.6.0_45/bin/java sun.security.tools.JarSigner keysotre **** -sigfile CUST Signer /apps/......
  Error JarSigner subcommand Exited With status 1.
  No standard output from jarsigner JarSigner error output: Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/tools/JarSigner Caused by: java.lang.ClassNotFoundException: sun.security.tools.JarSigner         at java.net.URLClassLoader$1.run(URLClassLoader.java:202)         at java.security.AccessController.doPrivileged(Native Method)         at java.net.URLClassLoader.findClass(URLClassLoader.java:190)         at java.lang.ClassLoader.loadClass(ClassLoader.java:306)         at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)         at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: sun.security.tools.JarSigner.  Program will exit. WARNING: The following path(s), defined in /apps2/property/product/tst/appl/cz/11.5.0/java/make/czjar.dep as elements of the output:   oracle/apps/cz/runtime/tag WARNING: Copying cztag.lst from the old fndlist.jar ...   About to Analyze flmkbn.jar : Fri Nov 22 2013 10:45:51
  Please let me know if you have any idea. Thanks Prince

• Third party CA and SCUP code signing

  All of the documentation I have seen out there regarding using a code signing certificate with SCUP assumes you are using AD CS. My institution uses a 3rd party CA and I requested a code signing certificate from them (the file had no file name extension,
  FWIW). I imported it into the local computer certificate store (on SCUP server/CAS) and see four entries:
  The blocked out item is our company name.
  Here is what I have done:
  I have exported the one with our company name as as the .cer file for clients, and placed it in the Trusted Publishers and Trusted Root Certificate Authorities stores on the SCUP server/CAS.
  I have exported various combinations of the 4 to generate the *.pfx file and imported it into SCUP but it always gives me an error when I try to publish an update. I initially exported all 4 certificates to get my .pfx, then tried just the ones with the
  purpose of "code signing." In both cases I get an error stating "Signature verification exception during publish, verify the WSUS certificates and advanced timestamp setting are properly configured."
  I am not getting an option to export the private key no matter what combo I choose. This is the biggest red flag I am seeing.
  Does anyone have any experience in this scenario? I am at a loss at this point. The server is 2008 R2 and I know I could use a self-signed one but I thought I would do it the "right" way since it is no longer supported.

  It turns out that after the code signing certificate was downloaded, the private key was somehow lost or damaged or not associated with it in the first place. That is why I was not seeing the option to export the key. We needed to use certutil to repair
  the key association.
  I suspect this is because the request was made from a web form and handled by the 3rd party CA as opposed to being done with certreq. Am I off base?
  Anyway, running this command on the code signed certificate allowed me to export it as needed for SCUP:
  certutil -repairstore my "SerialNumberofCert"
  There are some how tos here:
  http://support.microsoft.com/kb/889651
  http://blogs.msmvps.com/ivansanders/2011/07/26/restoring-a-certificates-private-key-without-the-certreq/