16 Replies Latest reply: Oct 25, 2011 11:50 AM by williamjgrand RSS

    Unable to build valid certificate chain

    JSayani

      Hi,

       

      I am trying to sign my AIR application using the Code Signing Certificate I got from Apple (iPhone Dev). I have Apple's Root Certificate and my certificate. I installed both and then exported my certificate as pkcs12 (.p12 file) using many methods like Windows Certificate Manager and Firefox. I also used Keychain Access on my Mac. However, when I try to sign, I get the following error:

       

      Unable to build a valid certificate chain for the signer.

       

      Some help would be great. Thanks.

        • 1. Re: Unable to build valid certificate chain
          tzeng Adobe Employee

          When you export the cert from say Windows Certificate Manager, there should be an option that ask if you want to export the whole certificate chain, just check that box.

           

          You can do the same with Firefox.

           

          -ted

          • 2. Re: Unable to build valid certificate chain
            JSayani Community Member

            Hi,

             

            I tried choosing that option with Windows Certificate Manager, but it still didn't help. As of firefox, I can't see any option like that. All I see is Backup and Backup All...

            • 3. Re: Unable to build valid certificate chain
              tzeng Adobe Employee

              Are you trying to package an AIR app. for iPhone?

              In that case, you don't need to have the whole chain, but you need to specify -provisioning-profile.

               

               

              If you just want to have the whole chain, you should check the certificate in the certificate manager to see if the cert chains up to the Root CA.

              If it does, you should be able to export the whole chain with the option box checked.

              But if the Root CA (or any intermediate CAs if there is any) is not present, then you wouldn't get the whole chain.

              • 4. Re: Unable to build valid certificate chain
                JSayani Community Member

                No, I am not building iPhone apps. I am just signing AIR desktop application. My AIR code signing certificate expired a while ago, so I want to use my iPhone Dev Certificate to sign the desktop apps.

                 

                I have the Root CA and Dev Cert installed. In Firefox, my cert is showed under Apple's Root CA, so they are linked. However, I tried exporting with the chain if possible option checked and it still did not help.

                 

                On my Mac, I also selected both certs (mine and Root CA) and exported them from Keychain Access as a single p12 file. However, I still get the same error.

                • 5. Re: Unable to build valid certificate chain
                  tzeng Adobe Employee

                  You can use the command:

                  keytool -list -v -storetype pkcs12 -keystore air.pfx -storepass xxxx

                  List out your cert's info. You should be able to find out if your cert has the whole chain or not.

                   

                  I am not sure why you could not export the whole chain. I never fail to do this on Windows.

                   

                  -ted

                  • 6. Re: Unable to build valid certificate chain
                    JSayani Community Member

                    Well, I have 2 files. Developer CErtificate and Root CA. For some reason I cannot get them to combine. On Keychain Access on my Mac, it shows there is no Root CA found. Though I have the .cer file of the CA.

                     

                    I tried adding it. Then hitting Done. But if I reevaluate the cert, then I get No rrot CA found again.

                     

                    Here's a Preview on my Mac:

                     

                    http://localhostr.com/files/a243ff/keychain.png

                    • 7. Re: Unable to build valid certificate chain
                      tzeng Adobe Employee

                      On my machine, I have two Cas.

                      One is

                      Apple Worldwide Developer Relations Certification Authority

                      Which is an intermediate CA, the other is Apple Root CA which is the Root CA.

                      Then the certificate.

                      So you need to have all the 3. Also, I think you need to put the intermediate CA in Systems keychain.

                       

                      -ted

                      • 8. Re: Unable to build valid certificate chain
                        JSayani Community Member

                        Well, I have all certs in my keychain. Later I also exported them and installed them on Windows and tried to use Windows Certificate Manager to export the p12 chain. However, still I get the same error when signing my app.

                         

                        Here are the files I have:

                         

                        AppleRootCA.cer

                        AppleRootCertificateAuthority.cer

                        AppleWWDRCA.cer

                        developer_identity.cer

                        • 9. Re: Unable to build valid certificate chain
                          tzeng Adobe Employee

                          developer_identity.cer <-- this doesn't have the private key, right?

                          • 10. Re: Unable to build valid certificate chain
                            JSayani Community Member

                            That should have the private key. Because when I install it on the Mac, the Private key is displayed under that cert.

                            • 11. Re: Unable to build valid certificate chain
                              tzeng Adobe Employee

                              I just exported a cert from Keychain Access to a .cer file, the private key is not exported (no password is asked).

                              Exporting to a P12 Keychain would ask for a password.

                              • 12. Re: Unable to build valid certificate chain
                                JSayani Community Member

                                Ok, that makes some things clear. If I do manage to get it with the private key in Windows, how do I obtain the password?  Apple has not provided me with a password to the private key.

                                • 13. Re: Unable to build valid certificate chain
                                  tzeng Adobe Employee

                                  When you export a cert with a private key, the program (whatever that is) will ask you for a password to be used in the file.

                                   

                                  When you import this cert again to a different machine (say to a Windows machine), the machine will ask you for the password to import the private key.

                                  When you export the cert from this machine, it will ask you again for a different password to be used in the exported cert file.

                                   

                                  Whenever there is a private key in a cert, it always comes with a password.

                                  • 14. Re: Unable to build valid certificate chain
                                    JSayani Community Member

                                    Ok, I am making progress here.

                                     

                                    I signed on to a fresh mac with an empty keychain. I imported AppleWWDRCA and then developer_identity. Now it shows that the certificate is valid. Now I deleted the certificate and I imported cert.p12 file that I had made. Now the certificate re-appeared in keychain along with a private key. I had to put a password set by me earlier when I made the p12 file.

                                     

                                    The certificate is displayed under my private key. So it means that the p12 file has the private key and the certificate.

                                     

                                    Now the only thing is that AIR gives me the error stating that it cannot build a certificate chain, which means there's no Root CA in the p12 file, or WWDRCA for that matter. From what I understand, these 2 certs need to be put inside the p12 file.

                                     

                                    On second note, Apple also provides a distribution cert besides the developer cert. But when I try to export the distribution cert, it asks for a password that I don't know (not got one for that). But I still think that I need to use the developer cert. nd not the distribution cert. by Apple.

                                     

                                    The question again boils down to putting the Apple Root CA inside the p12 in order for AIR SDK to build the chain.

                                    • 15. Re: Unable to build valid certificate chain
                                      tzeng Adobe Employee

                                      When you see the certificate is valid, you have all the certificate chains. But I don't know how to export the whole chain

                                      In Keychain Access.

                                      So to do this, you need to import all the certs to Firefox or in a Windows machine. Make sure you have the whole chain.

                                      Then export the cert with the whole chain option checked. That should do it.

                                      • 16. Re: Unable to build valid certificate chain
                                        williamjgrand

                                        Hi JSayani,

                                         

                                        Did you manage to figure this out?