5 Replies Latest reply on May 20, 2009 1:12 AM by BBCLX

    Signing with p12 certificate from client


      Hy there


      Our client provided us with a p12 format certificate and a password for signing AIR Applications.


      When I tried to sign the application in question with the certificate I got the following Error:

      Unable to build a valid certificate chain for the signer.


      What would google do in this situation?


      According to http://www.globalsign.com/support/root-certificate/osroot.php I did the following:

      • Install the certificate in Internetexplorer
      • Install the GlobalSign ObjectSign CA in Firefox
      • Export a new p12 certificate from firefox
      • Sign the application again with the new p12 certificate
      • Still getting the same error!
      • Install the new p12 certificate in Internetexplorer
      • Again exporting the cert in Firefox
      • and so on...


      No matter what I tried I still got the same error. I am now wondering whether our client needs to sign the application, but this does not seem to make sense since I have a p12 certificate and a password...


      I really would appreciate any help on this matter.


      Kind regards

        • 1. Re: Signing with p12 certificate from client
          tzeng Adobe Employee

          Your p12 certificate needs to have the whole certificate chain.

          So when you export the certificate, make sure you export the whole chain.



          • 2. Re: Signing with p12 certificate from client
            BBCLX Level 1

            According to tzengs suggestion I tried to export the certificate again from firefox using "backup all" instead of "backup" with no effect.


            One thing which I am still not sure of:


            Can my client give me a p12 certificate which I can use as it is to sign my application using the provided password or do I have to process this certificate first?


            Depending on the answer to this question I need to take different action:

            YES: I need to tell my client to export the certificate in a different manner in order to "create the complete chain"

            NO: The certificate from my client is fine but I still need to figure out how to change the certificate so that I don't get the error.


            Thanks for your help.

            • 3. Re: Signing with p12 certificate from client
              Joe ... Ward Level 4

              You should not have to modify the certificate file from your client in order to use it. (There's a small chance that your computer is missing the root certificate from GlobalSign, which might cause this problem -- but that doesn't seem likely.)


              Note that you can use the Java KeyTool utility to view the contents of a keystore file. That might help you figure out what is wrong.

              1 person found this helpful
              • 4. Re: Signing with p12 certificate from client
                tzeng Adobe Employee

                You can use the certificate as long as you have the password.


                Which OS does your client use to export the certificate?

                1 person found this helpful
                • 5. Re: Signing with p12 certificate from client
                  BBCLX Level 1

                  I finally got it working.


                  1. I get the certificate cert-client.p12 from my client
                  2. Double click and install the certificate from the windows explorer
                  3. Open Internetexplorer > Tools > Internet Options > Content > Certificates
                  4. Select the certificate which have previously imported and click export
                  5. Next
                  6. Yes, export the private key
                  7. Format: PKCS, (checked) Include all certificates in the... , (checked) Enable Strong protection, (unchecked) Delete the private key ...
                  8. Next
                  9. Enter Password for the certificate
                  10. Next enter filename and export the file
                  11. Rename the file to pk12


                  After this procedure i was able to successfully sign my application with the certificate.