Java Security

Hi,

I am trying to sign a java applet called JUpload from http://www.jupload.biz, with a certificate that we already have purchased. The private key was generated in IIS 6 on a Windows 2003 server, and the certificate was given to us in a *.crt format.

First I tried signing the applet using just the crt file, which would import into the keystore, but as soon as I try to sign the applet, I would do the following and get the error:

keytool -import -alias JUpload -file mycer.pso.com.crt

Owner: CN=mycer.pso.com, OU=Domain Control Validated, O=mycer.pso.com Issuer: EMAILADDRESS=practices@starfieldtech.com, CN=Starfield Secure Certification Authority, OU=http://www.starfieldtech.com/repository, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 302088
Valid from: Fri Jul 08 10:12:26 CDT 2005 until: Sat Jul 08 10:12:26 CDT 2006
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Trust this certificate? [no]: yes
Certificate was added to keystore

jarsigner jupload.jar JUpload

jarsigner: Certificate chain not found for: JUpload. JUpload must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

So after some digging I found that perhaps there is a problem because the crt does not have the private key. So I exported a pfx from IIS 6 which should contain the private key and did the following:

keytool -import -storepass XXXXXX -storetype PKCS12 -alias JUpload -file XXXXXXXXXX.pfx
keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

I have tried without the "storepass" and "storetype" flags, with no luck. Do I need to convert the pfx file to a p12 file. I read somewhere that you should just rename it, but that does the same thing as a pfx. I read also something to do with using OpenSSL, but I cannot find any examples of how I should do this.

Any ideas?

TIA

Phil Dowson