This article will assist you to troubleshoot common warning and error messages associated with KeyLocker and JarSigner. Included are errors which are displayed when running a healthcheck as well as during file signing.
Healthcheck Errors:
Your client certificate path or password is incorrect. You will not be able to complete specific actions (such as sign, generate keypairs and approve releases) until these credentials are corrected.
This error can occur if the path set in your Environment Variables is incorrect.
Open your Environment Variables and ensure that the following variable is correct:
Another reason for this error is the use of an incorrect client certificate password.
A third possible cause is that the client certificate was generated and encrypted using AES and a SHA-256 signature hash. This is not supported by older versions of Windows.
Status: Connection failed
This error can be caused by using an invalid API key.
Jarsigner: Mapped: No
This status means that DigiCert KeyLocker Tools is unable to locate the path to jarsigner.exe.
JarSigner Errors:
jarsigner error: java.lang.RuntimeException: keystore load: load failed
This error will appear if your KeyLocker credentials have not been configured or if the incorrect API key has been used.
jarsigner: unable to sign jar: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
This error means that the password for your client certificate is incorrect.
This error can also occur if you have not added a signer to your certificate in DigiCert ONE.
Only one alias can be specified
Please type jarsigner --help for usage
This error appears if the path to the file which you want to sign contains spaces. For example: c:\files to signpath\myfile.jar
jarsigner: Certificate chain not found for: <keypair alias>. <keypair alias> must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
This error means that an incorrect keypair alias was referenced in the signing command.
jarsigner: unable to sign jar: java.lang.NullPointerException: Cannot invoke "String.equalsIgnoreCase(String)" because the return value of "java.net.URI.getScheme()" is null
This issue can be caused by using an incomplete URL for the timestamp server.
jarsigner: unable to sign jar: java.lang.RuntimeException: java.net.SocketTimeoutException: Connect timed out
This error is caused by using HTTPS instead of HTTP in the timestamp URL.
For a detailed guide to setting KeyLocker up for use with JarSigner see Configure KeyLocker for JarSigner using the PKCS#11 Library.