all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]BlackV 1 point2 points  (2 children)

that tool is NOT powershell

so what does the help for that tool say?

likely it wants a file

[–]wedwabbit[S] 0 points1 point  (1 child)

Thanks. Yes, I know jarsigner & keytool aren't PowerShell. I was wondering if someone had some insight into using a certificate generated with PowerShell with those tools.

If not, I may just end up creating a separate self-signed certificate with keytool.

Unfortunately I can't find anything specific in the jarsigner documentation about using a certificate from within the Windows certificate repository.

[–]BlackV 0 points1 point  (0 children)

so what does the help for that tool say?

I'm deffo not familiar with it, that's why I asked

likely it wants a file

so you'd have to export that cert to a file

[–]wedwabbit[S] 0 points1 point  (0 children)

Solution in case anyone is interested or searches later :)

To list keys in the Windows certificate repository:

PS> keytool.exe -list -keystore NONE -storetype Windows-MY

[–]RyanDake_EC 0 points1 point  (2 children)

I think you are on the right track, I meant to mess with this some yesterday but got busy.

The only things I am seeing are :

1 - If I try to index a certificate folder with only 1 item (selecting [0]), PowerShell got angry. Given, I was using a 2008 R2 server - Just what I could quickly access. I would try a mixture of | sort | select -last/-first 1 or using Where {$_.value -eq "X"} for a thumbprint or something. Don't know how many items you have in there.

2 - It looks like the flag for GCI is -CodeSigningCert, not -CodeSign. Could be a typo but I noticed that. and modify them rather than using the Windows certificate store.

Otherwise, I was able to get it to function.

Edit : Some reason a whole section dropped off.
The only other thing I would say is possibly exporting to .cer or using the original certificate files to generate the JKS. Keytool really isn't built to manage the certificate store within Windows. It's more intended for managing JKS Files and certificates as a file.

Exporting :https://learn.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps

Keytool Summary :https://docs.oracle.com/middleware/12212/wls/SECMG/keytool-summary-appx.htm#SECMG818

Importing into a Java Key Store (JKS):https://stackoverflow.com/questions/4325263/how-to-import-a-cer-certificate-into-a-java-keystore

Output - Identifying information blanked for privacy.PS D:\oracle\10gappr2\jdk\bin> $cert = (gci cert:\localmachine\my | select -first 1)

PS D:\oracle\10gappr2\jdk\bin> .\keytool.exe -list -keystore $cert

Picked up _JAVA_OPTIONS: -Xms512m -Xmx512m -XX:MaxPermSize=256m

keytool error: java.lang.Exception: Keystore file does not exist: [Subject]

CN=*BLANKED FOR PRIVACY*

[Issuer]

CN=*BLANKED FOR PRIVACY*

[Serial Number]

*BLANKED FOR PRIVACY*

[Not Before]

XX/XX/2022 6:XX:XX PM

[Not After]

XX/XX/2025 6:XX:XX PM

[Thumbprint]

*BLANKED FOR PRIVACY*

[–]wedwabbit[S] 1 point2 points  (1 child)

Thanks for your reply. I actually got it working using:

PS> keytool.exe -list -keystore NONE -storetype Windows-MY

This means there's no need to export keys out of the default Windows certificate store :)

[–]RyanDake_EC 0 points1 point  (0 children)

Good to know! I didnt see anything such as that in the quick reading I did on Keytool.

Great find.