Failed MIDlet install with VeriSign certificate

[chgru]

Every attempt to install a MIDlet signed by a VeriSign issued certificate fails on my unbranded N70 and 6680 with the following error message:

N70, "Unable to verify certificate"
6680, "Installation security error, unable to install"

N70 version:
V 2.0536.0.2
12-09-05
RM-84

6680 version:
V 3.04.37
01-06-05
RM-36


After researching a bit, I have tried the following modified phone settings without help:

1. menu -> tools -> settings -> security -> certif management
For all VeriSign Class 3 Certificate Authorities
-> Options -> Trust settings
App. Installation: yes
Online certif check: no

2. menu -> tools -> manager -> options -> settings
Software installation: on or off
Online certif check: off

3. remove all MIDlet-Permissions from .jad and manifest. (taking a wild stab here)

4. tempted to flash with a firmware upgrade but I thought I better post for an alternative solution first.


Other items of note:

1. On the N70 when I run the Installer and "View certificate" I see
Issuer: VeriSign Inc.
Expires: 05/26/2007
Valid from: 05/26/2007


2. I have been able to "self" sign and install this MIDlet without issues after importing the self signed certicate into the phone's certificate manager. Obviously this will not work as real solution. I need a CA generated certficate.


Thanks in advance to anyone that can shed some light!

Chuck

[browndrf]

Is your cert really a class 3 cert ?
I can see class 1 thu 4 are installed on my 6682.

I can also see you can set trust status on the certificates themselves.
Try settings them all to be able to install apps

[chgru]

Should be Class 3,

> keytool -printcert returns (among other info)...

Issuer: CN=VeriSign Class 3 Code Signing 2004 CA, O="VeriSign, Inc.",

Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.",

Now I just noticed I have ST in the Owner string with the full spelling of the state:

ST=California,

I vaguely recall an issue using non-two letter abbreviations. Can anyone confirm this as the issue. I've already potentially thrown away $500 on this cert.

[traud]

Make sure the MIDlet-Certificate- fields in your JAD are correct. VeriSign certificates need an intermediate one and consequently a second MIDlet-Certificate-.

[chgru]

Thanks for the input but apologies for not quite following your post. For the Verisign version should I expect to see "MIDlet-Certificate-1-2=...?" As you can probably tell I used ant and antenna <wtkjad> task to create and sign my .jad file.

I've provided both the non-working Verisign and working self-signed manifest and .jad snippets...



=== Verisign ===


- .jar Manifest.mf

Manifest-Version: 1.0
MicroEdition-Configuration: CLDC-1.1
MIDlet-Name: MyApp
Created-By: 1.5.0_05-b05 (Sun Microsystems Inc.)
Ant-Version: Apache Ant 1.6.5
MIDlet-Permissions: javax.microedition.io.Connector.http, javax.microedition.io.Connector.socket, javax.microedition.io.Connector.datagram, javax.microedition.io.PushRegistry, javax.microedition.io.Connector.serversocket,javax.microedition.io.Connector.sms, javax.wireless.messaging.sms.send
MIDlet-Vendor: MyApp
MIDlet-1: MyAppApp, MyAppSpark42x29.gif, net.java.mypack.app.Pho
neClient
MIDlet-Version: 0.0.1
MicroEdition-Profile: MIDP-2.0


- .jad

MIDlet-Jar-URL: MyApp.jar
MIDlet-Jar-Size: 360685
MIDlet-Name: MyApp
MIDlet-Vendor: MyApp
MIDlet-Version: 0.0.1
MIDlet-1: MyAppApp, MyAppSpark42x29.gif, net.java.mypack.app.PhoneClient
MicroEdition-Profile: MIDP-2.0
MicroEdition-Configuration: CLDC-1.1
MIDlet-Push-1: socket://:8099,net.java.mypack.app.PhoneClient,*
MIDlet-Permissions: javax.microedition.io.Connector.http, javax.microedition.io.Connector.socket, javax.microedition.io.Connector.datagram, javax.microedition.io.PushRegistry, javax.microedition.io.Connector.serversocket,javax.microedition.io.Connector.sms, javax.wireless.messaging.sms.send
MIDlet-Certificate-1-1: MIIE8jCCA...
MIDlet-Jar-RSA-SHA1: Raz2aGQ...





=== Self Signed ===

- .jar Manifest.mf

Manifest-Version: 1.0
MicroEdition-Configuration: CLDC-1.1
MIDlet-Name: MyApp
Created-By: 1.5.0_05-b05 (Sun Microsystems Inc.)
Ant-Version: Apache Ant 1.6.5
MIDlet-Permissions: javax.microedition.io.Connector.http, javax.microedition.io.Connector.socket, javax.microedition.io.Connector.datagram,javax.microedition.io.PushRegistry, javax.microedition.io.Connector.serversocket,javax.microedition.io.Connector.sms, javax.wireless.messaging.sms.send
MIDlet-Vendor: MyApp
MIDlet-1: MyAppApp, MyAppSpark42x29.gif, net.java.mypack.app.PhoneClient
MIDlet-Version: 0.0.1
MicroEdition-Profile: MIDP-2.0


- .jad

MIDlet-Jar-URL: MyApp.jar
MIDlet-Jar-Size: 359159
MIDlet-Name: MyApp
MIDlet-Vendor: MyApp
MIDlet-Version: 0.0.1
MIDlet-1: MyAppApp, MyAppSpark42x29.gif, net.java.mypack.app.PhoneClient
MicroEdition-Profile: MIDP-2.0
MicroEdition-Configuration: CLDC-1.1
MIDlet-Push-1: socket://:8099,net.java.mypack.app.PhoneClient,*
MIDlet-Permissions: javax.microedition.io.Connector.http, javax.microedition.io.Connector.socket, javax.microedition.io.Connector.datagram, javax.microedition.io.PushRegistry, javax.microedition.io.Connector.serversocket,javax.microedition.io.Connector.sms, javax.wireless.messaging.sms.send
MIDlet-Certificate-1-1: MIICUDCCA...
MIDlet-Jar-RSA-SHA1: bYmyxiNr...


Chuck

[traud]

Have a look at the phone and the issue date of the root certificate. If that is from 2001 and you are using a 2004 one, previous users on this board reported an intermediate certificate is required – do not have such a VerSign code-signing cert myself, so I cannot judge on that.

Please have a search for this topic. This is a quite common problem with recent VeriSign code-signing certificates…there are bad behaving WTK JAD Signer versions out there.

[chgru]

I believe I found your related thread on this topic...

http://discussion.forum.nokia.com/f...178248#poststop






Note that Certificate number [3] in my keystore listing, the serial number and fingerprints match to my phone's (ommitted the fingerprints for clarity):

Label: VeriSign, Inc. Class 3 Public Primary Certification Authority
Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority, Us
Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority, Us
Valid from: 01/29/1996
Valid until: 09/01/2028
Certificate format: X.509


The other 2 VeriSign Class 3 Certificates on the phone are...

Label: VeriSign Class 3 Public Primary Certification Authority - G2
Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network, US
Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network, US
Valid from: 05/18/1998
Valid until: 08/01/2028
Certificate format: X.509

Label: VeriSign Class 3 Public Primary Certification Authority - G3
Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority - G3, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only,US
Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority - G3, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only,US
Valid from: 10/01/1999
Valid until: 07/16/2036
Certificate format: X.509



If you look below in my keystore listing, it appears I have the 2004 year you cautioned about, however my phone does not appear have a 2001 version, correct?

One thing I am not clear on is to which certificate does my app have signed?

Somehow should MIDlet-Certificate-1-1: MIIE8jCCA... match to a fingerprint?

Should MIDlet-Certificate-1-2 be present to somehow chain these together to Certificate[3]. I think I could just hand edit the .jad file and add these but I have yet to find a way to match up the magic ascii value for MIDlet-Certificate-1-x to a real certificate I was given to sign with?


Sorry, I thought I had a handle on this until recently. If you have a good reference on the nitty gritty details of signing, that would be helpful
as well. I think I have exhausted google and this forum.




=== list of certificates in my keystore ===

>keytool -v -list -keystore ...

Creation date: May 30, 2006
Entry type: keyEntry
Certificate chain length: 3

Certificate[1]:
Owner: CN=Agilent Technologies, OU=EMG, OU=Digital ID Class 3 - Java Object Sign
ing, O=Agilent Technologies, L=Palo Alto, ST=California, C=US
Issuer: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www
.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 6909b0bfdfda38fd9877fc0583fa6427
Valid from: Thu May 25 18:00:00 MDT 2006 until: Sat May 26 17:59:59 MDT 2007
Certificate fingerprints:
MD5: 4C:6B:3B:33:CC:2F:EC:C1:55:A0:3E:0B:BD:46:F3:8E
SHA1: 05:72:F5:C9:2F7:F8:EF:CA:C5:90:9A5:16:46:63:12:C6:A1:C9

Certificate[2]:
Owner: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.
verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
=US
Serial number: 4191a15a3978dfcf496566381d4c75c2
Valid from: Thu Jul 15 18:00:00 MDT 2004 until: Tue Jul 15 17:59:59 MDT 2014
Certificate fingerprints:
MD5: 63:FE:60:C5:5A:44:AF:8E:E2:11:5A:27:62:2A:B0:7C
SHA1: 19:7A:4A:EBB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4


=================================
==== THE MATCHING CERTIFICATE ===
=================================
Certificate[3]:
Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=
US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
=US
Serial number: 70bae41d10d92934b638ca7b03ccbabf
Valid from: Sun Jan 28 17:00:00 MST 1996 until: Tue Aug 01 17:59:59 MDT 2028
Certificate fingerprints:
MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2





=== error while running on Nokia MIDP Emulator ====

I have no idea if the emulator should know of the CA, don't see any config to add one however while running

NDS SDK 2 Emulator set to run in real life mode for S60:


** Error installing suite (6):
The content provider certificate issuer
C=US;O=VeriSign, Inc.;
OU=VeriSign Trust Network;OU=Terms of use at https://www.verisign.com/rpa (c)04;CN=VeriSign Class 3 Code Signing 2004 CA
is unknown.

[chgru]

I believe I found your related thread on this topic...

http://discussion.forum.nokia.com/fo...78248#poststop






Note that Certificate number [3] in my keystore listing, the serial number and fingerprints match to my phone's (ommitted the fingerprints for clarity):

Label: VeriSign, Inc. Class 3 Public Primary Certification Authority
Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority, Us
Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority, Us
Valid from: 01/29/1996
Valid until: 09/01/2028
Certificate format: X.509


The other 2 VeriSign Class 3 Certificates on the phone are...

Label: VeriSign Class 3 Public Primary Certification Authority - G2
Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network, US
Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority - G2, (c) 1998 VeriSign, Inc. - For authorized use only, VeriSign Trust Network, US
Valid from: 05/18/1998
Valid until: 08/01/2028
Certificate format: X.509

Label: VeriSign Class 3 Public Primary Certification Authority - G3
Issuer: VeriSign, Inc. Class 3 Public Primary Certification Authority - G3, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only,US
Subject: VeriSign, Inc. Class 3 Public Primary Certification Authority - G3, VeriSign, Inc., VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only,US
Valid from: 10/01/1999
Valid until: 07/16/2036
Certificate format: X.509



If you look below in my keystore listing, it appears I have the 2004 year you cautioned about, however my phone does not appear have a 2001 version, correct?

One thing I am not clear on is to which certificate does my app have signed?

Somehow should MIDlet-Certificate-1-1: MIIE8jCCA... match to a fingerprint?

Should MIDlet-Certificate-1-2 be present to somehow chain these together to Certificate[3]. I think I could just hand edit the .jad file and add these but I have yet to find a way to match up the magic ascii value for MIDlet-Certificate-1-x to a real certificate I was given to sign with?


Sorry, I thought I had a handle on this until recently. If you have a good reference on the nitty gritty details of signing, that would be helpful
as well. I think I have exhausted google and this forum.




=== list of certificates in my keystore ===

>keytool -v -list -keystore ...

Creation date: May 30, 2006
Entry type: keyEntry
Certificate chain length: 3

Certificate[1]:
Owner: CN=Agilent Technologies, OU=EMG, OU=Digital ID Class 3 - Java Object Sign
ing, O=Agilent Technologies, L=Palo Alto, ST=California, C=US
Issuer: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www
.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 6909b0bfdfda38fd9877fc0583fa6427
Valid from: Thu May 25 18:00:00 MDT 2006 until: Sat May 26 17:59:59 MDT 2007
Certificate fingerprints:
MD5: 4C:6B:3B:33:CC:2F:EC:C1:55:A0:3E:0B:BD:46:F3:8E
SHA1: 05:72:F5:C9:2F7:F8:EF:CA:C5:90:9A5:16:46:63:12:C6:A1:C9

Certificate[2]:
Owner: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.
verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
=US
Serial number: 4191a15a3978dfcf496566381d4c75c2
Valid from: Thu Jul 15 18:00:00 MDT 2004 until: Tue Jul 15 17:59:59 MDT 2014
Certificate fingerprints:
MD5: 63:FE:60:C5:5A:44:AF:8E:E2:11:5A:27:62:2A:B0:7C
SHA1: 19:7A:4A:EBB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4


=================================
==== THE MATCHING CERTIFICATE ===
=================================
Certificate[3]:
Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=
US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
=US
Serial number: 70bae41d10d92934b638ca7b03ccbabf
Valid from: Sun Jan 28 17:00:00 MST 1996 until: Tue Aug 01 17:59:59 MDT 2028
Certificate fingerprints:
MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2





=== error while running on Nokia MIDP Emulator ====

I have no idea if the emulator should know of the CA, don't see any config to add one however while running

NDS SDK 2 Emulator set to run in real life mode for S60:


** Error installing suite (6):
The content provider certificate issuer
C=US;O=VeriSign, Inc.;
OU=VeriSign Trust Network;OU=Terms of use at https://www.verisign.com/rpa (c)04;CN=VeriSign Class 3 Code Signing 2004 CA
is unknown.

[traud]

The VeriSign Code Signing Intermediate CA Certificate is missing.

Copy the code, remove – beside the carriage returns – the first and last line and use it as value of a MIDlet-Certificate-1-2. That should work. There are broken signer tools out there. Make sure to use the latest Sun Java Wireless Toolkit or Nokia Carbide.j.

Please forget that other thread. I was more confusing than helping there. Additionally, there seemed to be a different problem. Better have a look at this one or have a search about MIDlet-Certificate-1-2 on the Internet and this forum.

Additionally, forget about this 2001 issue. Your 2004 code-signing certificate, signed to this 2004 root intermediate seems to be linked to this root certificate with the SHA1 7A:2C… fingerprint on the phone anyway. The latter is the only VeriSign one which allows code signing on my Nokia 6680. I cannot be 100% sure, as I have no VeriSign certificate, however, it looks reasonable. Correct me, if I am wrong.

[chgru]

Thanks for the links, I will work with them and post my results. This will be a big help.


Some other info I should clear up for others that may be following this thread....

Earlier I stated I was using wtkjad antenna task to sign the .jad/jar, Wrong!!

I was acutally using WTK2.1's JadTool.jar with -addjarsig followed by -addcert. I also tried NDS 3.0, same issue. I found what appeared to be a good link regarding signing for Nokia with VeriSign here:

http://sw.nokia.com/id/fe8f54d9-c53d...ts_v1_0_en.pdf

However no matter which JadTool.jar used, I only get the single MIDlet-Certificate-1-1, no chain to the CA.

Also, I think I have identified by Serial Number which certificate is signed to the .jad/jar. It is the first one ("[1]") listed in keystore list I provided. I simply did a "View Certificate" on the phone during the install and compared the serial number to the ones enumerated in my keystore listing.

I think I am getting closer with traud's help. Thanks.

Chuck

[chgru]

Success!

Adding the intermediate certificate by hand did the trick. You saved me several days of head banging. Many Thanks!

[traud]

You are welcome! I learned a lot in this, too. Let us share it with the community:
When your code signing certificate makes trouble have a look at your JAD and check at least a MIDlet-Certificate-1-2 field is present. If not and you are using a VeriSign 2009-2 code signing certificate, add this line, which is the intermediate certificate as Base64 (a constant value):

Code:

MIDlet-Certificate-1-2: MIIE/DCCBGWgAwIBAgIQZVIm4bIuGOFZDymFrCLnXDANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDkwNTIxMDAwMDAwWhcNMTkwNTIwMjM1OTU5WjCBtjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEwMC4GA1UEAxMnVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwOS0yIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvmcdtGCqEElvVhd8Zslehg3V8ayncYOOi4n4iASJFQa6LYQhleTRnFBM+9IivdrysjU7Ho/DCfv8Ey5av4l8PTslHvbzWHuc9AG1xgq4gM6+J3RhZydNauXsgWFYeaPgFxASFSew4U00fytHIES53mYkZorNT7ofxTjIVJDhcvYZZnVquUlozzh5DaowqNssYEie16oUAamD1ziRMDkTlgM6fEBUtq3gLxuD3KgRUj4Cs9cr/SG2p1yjDwupphBQDjQuTafOyV4l1Iy88258KbwBXfwxh1rVjIVnWIgZoL818OoroyHnkPaD5ajtYHhee2CD/VcLXUENY1Rg1kMh7wIDAQABo4IB2zCCAdcwEgYDVR0TAQH/BAgwBgEB/wIBADBwBgNVHSAEaTBnMGUGC2CGSAGG+EUBBxcDMFYwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwKgYIKwYBBQUHAgIwHhocaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMDMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS01NTAdBgNVHQ4EFgQUl9BrqCZwyKE/lB8ILcQ1m6ShHvIwDQYJKoZIhvcNAQEFBQADgYEAiwPA3ZTYQaJhabAVqHjHMMaQPH5C9yS25INzFwR/BBCcoeL6gS/rwMpE53LgULZVECCDbpaS5JpRarQ3MdylLeuMAMcdT+dNMrqF+E6++mdVZfBqvnrKZDgaEBB4RXYx84Z6Aw9gwrNdnfaLZnaCG1nhg+W9SaU4VuXeQXcOWA8=

If not and you are using a thawte code signing certificate, add this line, which is the intermediate certificate as Base64 (a constant value):

Code:

MIDlet-Certificate-1-2: MIIDTjCCAregAwIBAgIBCjANBgkqhkiG9w0BAQUFADCBzjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29tMB4XDTAzMDgwNjAwMDAwMFoXDTEzMDgwNTIzNTk1OVowVTELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xHzAdBgNVBAMTFlRoYXd0ZSBDb2RlIFNpZ25pbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMa4uSdgrwvjkWll236N7ZHmqvG+1e3+bdQsf9Fwd/smmVe03T8wuNwh6miNgZL8LkuRNYQg8tpKurT85tqI8iDFIZIJR5WgCRymeb6xTB388YpuVNJpofFMkzpB/n3UZHtjRfdgYB0xHaTp0w+L+24mJLOo/+XlkNS0wtxQYK5ZAgMBAAGjgbMwgbAwEgYDVR0TAQH/BAgwBgEB/wIBADBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNlcnZlckNBLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTE0NDANBgkqhkiG9w0BAQUFAAOBgQB2spzuE58b9i00kpRFczTcjmsuXPxMfYnrw2jx15kPLh0XyLUWi77NigUG8hlJOgNbBckgjm1S4XaBoMNliiJn5BxTUzdGv7zXL+t7ntAURWxAIQjiXXV2ZjAe9N+Cii+986IMvx3bnxSimnI3TbB3SOhKPwnOVRks7+YHJOGv7A==

When there are still problems, copy and paste your MIDlet-Certificate- values to a text editor, like this

Code:

-----BEGIN CERTIFICATE-----
MII…
-----END CERTIFICATE-----

and then save it as .pem as this is a X.509 certificate in PEM format. Although the line endings are wrong for PEM, you are still able to import these into any certificate manager like the one of Firefox. There you can inspect the individual certs and make sure the chain is complete (compare the authority and issuer name). Remember, the root certificate should not be included in your JAD as it is stated in the MIDP 2.0 specification chapter 4.

chgru, I am still curious, why your signing tool failed. Because the root certificate (last one in the chain) is never included in the JAD, perhaps you need Verisign's class 3 root certificate (filename = PCA3ss_v4.509) in your key store, too? I have no idea…

[chgru]

Not sure why the root CA is not include in the .jad. As I update NDS to Carbide.j I'll post to this thread if anything changes. Again, thanks for the help. Save me several days of effort.

[traud]

No, I meant the root is never included in the JAD – in your case and for everyone else. This is the way it is designed by MIDP 2. Perhaps therefore, these signing tools omit the last certificate in the chain. As you pointed out, your key store does not include the root certificate of VeriSign. Therfore, in your case, the intermediate is not included.
Could this be the reason of all that trouble?

[chgru]

Isn't certificate[3] in my keystore a root cert?

Certificate[3]:
Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=
US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C
=US
Serial number: 70bae41d10d92934b638ca7b03ccbabf
Valid from: Sun Jan 28 17:00:00 MST 1996 until: Tue Aug 01 17:59:59 MDT 2028
Certificate fingerprints:
MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2