Summary

If the CSBR1 root certificate is not in the default JDK keystore, customers will get an error when signing and timestamping files. To fix this, you need to import the CSBR1 certificate.

Problem

If the CSBR1 root certificate is not in the default JDK keystore, customers will see the following error when signing and timestamping files:

The TSA certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution

Follow these steps to import the Entrust Code Signing Root Certification Authority - CSBR1 (https://web.entrust.com/root-certificates/CSBR1.cer?_ga=2.238222531.2119537634.1657895221-140272303.1651182067) cert into the trusted cert bundle file used by the JDK.

1. Download and save the CSBR1 certificate as a . cer file into your system
2. Copy and paste the CSBR1 certificate to the JDK bin folder:
   C:\Program Files\Java\jdk1.8.0_202\bin
3. Open a command prompt and navigate to the JDK bin folder:
   cd C:\Program Files\Java\jdk1.8.0_202\bin
4. Import the CSBR1 certificate to the JDK Trusted Store at
   $JAVA_HOME/lib/security/cacerts ( cacerts is the Trusted Store) For example: " C:\Program Files\Java\jre1.8.0_202\lib\security "
5. Run the command: Keytool -import -alias TSARoot -file CSBR1.cer -keystore "C:\Program Files\Java\jre1.8.0_202\lib\security\cacerts"
6. Enter the Trusted Store password: changeit
7. Type y to confirm
8. Close and open the command prompt and test signing in again (jarsigner sign)