Skip to main content

Certificate Services Support


If the CSBR1 root certificate is not in the default JDK keystore, customers will see the following error when signing and timestamping files:
The TSA certificate chain is invalid. Reason: PKIX path building failed: unable to find valid certification path to requested target


Follow these steps to import the Entrust Code Signing Root Certification Authority - CSBR1 ( cert into the trusted cert bundle file used by the JDK.
  1. Download and save the CSBR1 certificate as a .cer file into your system
  2. Copy and paste the CSBR1 certificate to the JDK bin folder:
    C:\Program Files\Java\jdk1.8.0_202\bin
  3. Open a command prompt and navigate to the JDK bin folder:
    cd C:\Program Files\Java\jdk1.8.0_202\bin
  4. Import the CSBR1 certificate to the JDK Trusted Store at
    $JAVA_HOME/lib/security/cacerts (cacerts is the Trusted Store)
     For example: "C:\Program Files\Java\jre1.8.0_202\lib\security"
  5. Run the command: Keytool -import -alias TSARoot -file CSBR1.cer -keystore "C:\Program Files\Java\jre1.8.0_202\lib\security\cacerts"
  6. Enter the Trusted Store password: changeit
  7. Type y to confirm
  8. Close and open the command prompt and test signing in again (jarsigner sign)