Knowledge Base

Healthcheck Errors:

Your client certificate path or password is incorrect. You will not be able to complete specific actions (such as sign, generate keypairs and approve releases) until these credentials are corrected.

This error can occur if the path set in your Environment Variables is incorrect.

Open your Environment Variables and ensure that the following variable is correct:

• Variable name: SM_CLIENT_CERT_FILE
• Variable value: C:\clientcertpath\Certificate_pkcs12.p12
  

Another reason for this error is the use of an incorrect client certificate password.

• Run the following command to delete your credentials: smctl credentials delete
• Add your credentials again as follows: smctl credentials save <API token> <client certificate password>

A third possible cause is that the client certificate was generated and encrypted using AES and a SHA-256 signature hash. This is not supported by older versions of Windows.

• Generate a new client certificate and select AES with a SHA-1 signature hash or select 3DES encryption.
  

Status: Connection failed

This error can be caused by using an invalid API key.

• Ensure that you have entered the correct API key string. This is displayed in the healthcheck results under Credentials.
• If the API key string is incorrect, delete the existing credentials by running the following command: smctl credentials delete
• Once the credentials have been deleted, add the correct credentials by running this command: smctl credentials save <API token> <client certificate password>

Note: jSign is not listed among the mapped signing tools in the healthcheck.

jSign Errors:

'jsign' is not recognized as an internal or external command, operable program or batch file.

This message will appear if the path to jsign.exe has not been mapped correctly.

• Open your Environment Variables and ensure that the path to jsign.exe has been added as a variable.

jsign: Failed to load the keystore C:\Program Files\DigiCert\DigiCert KeyLocker Tools\pkcs11properties.cfg
java.security.KeyStoreException: Unable to load the keystore C:\Program Files\DigiCert\DigiCert KeyLocker Tools\pkcs11properties.cfg
        at net.jsign.KeyStoreType.getKeystore(KeyStoreType.java:486)
        at net.jsign.KeyStoreBuilder.build(KeyStoreBuilder.java:283)
        at net.jsign.SignerHelper.build(SignerHelper.java:256)
        at net.jsign.SignerHelper.sign(SignerHelper.java:388)
        at net.jsign.JsignCLI.execute(JsignCLI.java:132)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.io.IOException: load failed
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:781)
        at java.base/java.security.KeyStore.load(KeyStore.java:1473)
        at net.jsign.KeyStoreType.getKeystore(KeyStoreType.java:483)
        ... 5 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
        at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_FindObjectsInit(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.findObjects(P11KeyStore.java:2676)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.mapLabels(P11KeyStore.java:2291)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineLoad(P11KeyStore.java:771)
        ... 7 more
Try `java -jar jsign.jar --help' for more information.

This error will appear if your KeyLocker credentials have not been configured or if the incorrect API key has been used.

• If the API key string is incorrect, delete the existing credentials by running the following command: smctl credentials delete
• To add your credentials, run the following command: smctl credentials save <API token> <client certificate password>

jsign: Couldn't sign C:\filestosignpath\myfile.exe
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:671)
        at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1423)
        at java.base/java.security.Signature.sign(Signature.java:712)
        at net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(Unknown Source)
        at net.jsign.bouncycastle.cms.SignerInfoGenerator.generate(Unknown Source)
        at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source)
        at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source)
        at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.generate(AuthenticodeSignedDataGenerator.java:50)
        at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:373)
        at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:348)
        at net.jsign.SignerHelper.sign(SignerHelper.java:394)
        at net.jsign.JsignCLI.execute(JsignCLI.java:132)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
        at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:621)
        ... 12 more
Try `java -jar jsign.jar --help' for more information.

This error means that the password for your client certificate is incorrect.

• Delete the existing credentials by running the following command: smctl credentials delete
  
• Once the credentials have been deleted, add the correct credentials by running this command: smctl credentials save <API token> <client certificate password>
  
  

This error can also occur if you have not added a signer to your certificate in DigiCert ONE.

• Log in for your DigiCert ONE account and designate a signer for your certificate.

Error: Unable to access jarfile <file path>

This error appears if the path to jsign5-0.jar contains spaces. For example: C:\jsign path\jsign-5.0.jar

• Enclose the full path to the file in quotation marks as follows: “C:\jsign path\jsign-5.0.jar”
  
  

jsign: The file <file path> couldn’t be found

This error can mean that either the pkcs11properties.cfg file or the file that you want to sign cannot be found.

• Ensure that the correct paths and file names have been included in your signing command. If the path contains spaces, enclose the full path to the file in quotation marks as follows: "C:\files to sign path\myfile.exe"
  
  

jsign: No certificate found under the alias '<keypairalias>' in the keystore SunPKCS11-signingmanager (available aliases: <keypairalias1>, <keypairalias2>)
Try `java -jar jsign.jar --help' for more information.

This error means that an incorrect keypair alias was referenced in the signing command.

• Ensure that you use the correct keypair alias in the signing command. Log in to your DigiCert ONE account to view and copy the keypair alias for your code signing certificate.

jsign: keystore option should either refer to the SunPKCS11 configuration file or to the name of the provider configured in jre/lib/security/java.security

Try `java -jar jsign.jar --help' for more information.

This error will appear when jSign cannot locate your pkcs11properties.cfg file.

• Ensure that you are referencing the correct file name and path in your signing command.

For a detailed guide to setting KeyLocker up for use with jSign see Configure KeyLocker for jSign using the PKCS#11 Library.