Problem
If the CSBR1 root certificate is not in the default JDK keystore, customers will see the following error when signing and timestamping files:The TSA certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Resolution
Follow these steps to import the Entrust Code Signing Root Certification Authority - CSBR1 (https://web.entrust.com/root-certificates/CSBR1.cer?_ga=2.238222531.2119537634.1657895221-140272303.1651182067) cert into the trusted cert bundle file used by the JDK.- Download and save the CSBR1 certificate as a .cer file into your system
- Copy and paste the CSBR1 certificate to the JDK bin folder:
C:\Program Files\Java\jdk1.8.0_202\bin - Open a command prompt and navigate to the JDK bin folder:
cd C:\Program Files\Java\jdk1.8.0_202\bin - Import the CSBR1 certificate to the JDK Trusted Store at
$JAVA_HOME/lib/security/cacerts (cacerts is the Trusted Store) For example: "C:\Program Files\Java\jre1.8.0_202\lib\security" - Run the command: Keytool -import -alias TSARoot -file CSBR1.cer -keystore "C:\Program Files\Java\jre1.8.0_202\lib\security\cacerts"
- Enter the Trusted Store password: changeit
- Type y to confirm
- Close and open the command prompt and test signing in again (jarsigner sign)