SSL protocol can supply all certs in chain of trust, instead of only the public key of the signer. So my question; Can a Jar file also contain all(or multiple) certs in chain of trust ?
It's because our jars are signed by relatively unknown entity which in turn is signed by verisign.
I don't want to bother the client(running the webstart application) with fixing his local java webstart keystore so that all certificates in the chain-of-trust are in.
You'll want to sign your jar with an entry that is fully-chained instead of just your certificate.
There's a good tutorial here on how to create a keystore that contains a well-formed fully-chained keystore entry: Adding certificate chain to p12(pfx) certificate
Alternatively, look at "Creating a .pem with the Private Key and Entire Trust Chain" here: http://www.digicert.com/ssl-support/pem-ssl-creation.htm
Once you have you full pem file, convert it into a keystore as said in the tutorial and sign your jar using your entry.
> openssl pkcs12 -export -in chain.pem -out chain.pfx
> keytool -list -v -keystore chain.pfx -storetype PKCS12
Enter keystore password: ...
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: date
Entry type: PrivateKeyEntry
Certificate chain length: 3 (anything above 1 means your entry is chained)
......
> jarsigner -tsa http://timestamp.SOME_CA.com -keystore chain.pfx -storetype PKCS12 -storepass PASSWORD YOUR_JAR.jar 1
NB: the "1" in jarsigner above is actually the Alias name of the imported pem file.
Once your keystore has an entry that contains the full certificate chain, sign your jar using this entry and the RSA file will
