I had a week of trouble, signing my web start java applet.

While I signed (with a good COMODO code signing certificate), there was

Warning: The signer’s certificate chain is not validated.

But I didn’t pay much attention to it.

And my signed applet appeared to be of unknown publisher even through “Show details” in browser showed me that applet is signed with the correct certificate. Of cause, it was much restricted – and I need to read user disc, etc… It could be solved my directly installing CA to user computer – but that’s unreasonable to request every user to do it manually. So I suffered for a week and suddenly came up with a solution, inspired by this post (thank you,
Supriya Roy):

1) Install your .pfx certificate with the “Mark this key as exportable. This will allow you to back up or transport your keys at a later time” and “Include all extended properties” checked.

2) Check that that you have full certificate chain for this certificate and it is valid. Otherwise, install neccessary CA.

3) Export the installed certificate with “Yes, export the private key” option and “Include all certificates in the certification path if possible” and “Export all extended properties” checked under the option .PFX or PKCS #12.

4) Use exported .pfx file to sign the JAR. Don’t forget that it could change alias – get new one with

keytool.exe -list -keystore D:\keys\code.pfx -storetype pkcs12

Worked like magic – warning disappeared and my jars are trusted now!