Failed to load a certificate message when packaging for Android.

Answered

Hi,

We have tried packaging the application for iOS and Android, iOS works just fine, but on Android it prompts this error message:

"cert.p12: Failed to load a certificate".

At first, I wasn't sure about which type of certificate we had because it was created 5 years ago, so I looked up how to find out the certificate type with openssl and got this information:

MAC Iteration 1024
MAC verified OK
PKCS7 Data

We tried setting up the module's keystore type as PKCS7 but no luck either, the error reads: "cert.p12: Keystore type is not available: PKCS7". Also, we tried editing the jvm.config's JAVA_HOME path to point to the local user's JAVA_HOME but no luck either.

I understand that indeed our .p12 is too old for this fix. Now our question is, has anyone here faced the same issue and solved it some other way? It honestly sounds weird to have to downgrade the Java version to an older one. In any case, we read here (https://intellij-support.jetbrains.com/hc/en-us/articles/206544879) that Java 8 is required to run Intellij Idea so, I don't think downgrading is going to fix this for us.

Thanks beforehand,

22 comments
Comment actions Permalink

For those of you having problems still with this.. try the following and make sure you are on the exact JDK listed below. I tried everything that was told to me in this forum and this is what got my Android app certificate being accepted during packaging.

 

  1. Start the IDE, use Help | Find Action (Ctrl+Shift+A or Cmd+Shift+A on Mac), type "Switch IDE Boot JDK", press Enter.
  2. Switch IDE Boot JDK dialog appears. Select the version from the drop-down or click "…" entry to specify the custom location. This location has to point to the JDK installation home directory (like c:\Program Files (x86)\Java\jdk1.8.0_112 or /Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/ or /usr/lib/jvm/open-jdk).
  3. Please note that using JetBrains Runtime is highly recommended for performance and stability reasons (it fixes many known OpenJDK and Oracle JDK bugs).
  4. Selected location is stored inside the idea.config.path\<product>.jdk file, should you need to revert to the default behavior in case of any problem (like when IDE no longer starts), delete this file or modify the installation path inside.
1
Comment actions Permalink

Hi Serge, thanks for the reply. I already read that and switched the Java version like I stated in the original post but it didn't work either. Any other workarounds that you know about?

Thanks,

 

0
Comment actions Permalink

No other workarounds exist. Double check the Java version was really changed. Verify with the command line adt build.

0
Comment actions Permalink

Hi Serge,H

 

We double checked and the file is pointing to the right place, this is what java.home looks like right now:

java.home=/Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home

For what I understand, that's pointing to the JDK8 (Version 144), so it's higher thanJDK8 u112.

Also, I really don't know how to "verify with the command line adt", I just tested it the tough way, by removing the last char of the java.home path and hence, forcing a compiler error when attempting to build the project which prompts this error:

Error:[Project (dev) (module Project)]: Cannot run program "/Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Hom/bin/java" (in directory "/Users/user/workspaceTest/Project"): error=2, No such file or directory

Notice that after removing the "e" from Home, it all fails so yes, it's using the right SDK.

Couldn't it be related to what Alexander Doroshko stated on its last comment on the post you pasted here? The one that reads:

We've updated bundled temporary self-signed certificate to be 2048-RSA. The fix will appear in IntelliJ IDEA 2017.2.x update release. For now, a trick with setting an older Java in [AIR SDK]/bin/jvm.comfig file works fine.

However, the trick with jvm.config doesn't work with user's custom 1024-RSA certificate and there's no way to fix it. It is not possible to enter your keystore password in the IDE dialog for such certificates. If by some reason you need to work with your own 1024-RSA certificate then you'll need either to use the ADT tool from the command line with compatible (older) Java or to configure older JDK to be used for IntelliJ IDEA itself.

0
Comment actions Permalink

Why do you use Java version 144? The forum thread I've linked above clearly states the following:

8u112 or older

0
Comment actions Permalink

Hi Serge,

My apologies, at first glance I considered "older" to be "released afterwards", I nevertheless changed it to a version 112, and got unlucky too.

I've also tried all my currently Java versions installed on my computer and got no lucky either:

    1.8.0_144, x86_64: "Java SE 8" /Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home

    1.8.0_112, x86_64: "Java SE 8" /Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home

    1.7.0_80, x86_64: "Java SE 7" /Library/Java/JavaVirtualMachines/jdk1.7.0_80.jdk/Contents/Home

    1.6.0_65-b14-468, x86_64: "Java SE 6" /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home

    1.6.0_65-b14-468, i386: "Java SE 6" /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home

Any other advice? Could it be related to the certificate itself?

Thanks for your help so far.

0
Comment actions Permalink

I forgot to say that I also made sure not to be using blank spaces on the certificate path.

0
Comment actions Permalink

Just as extra information, we are able to replicate this issue by creating a Simple Android project from scratch and configuring it with our old certificate.

0
Comment actions Permalink

What AIR SDK version do you use? Will it work with older AIR SDKs? It could be that your certificate doesn't match new AIR SDK requirements.

To package an AIR app IntelliJ IDEA simply calls the ADT tool from the AIR SDK. You may play with the tool and its options right from the command line. See https://help.adobe.com/en_US/air/build/WS901d38e593cd1bac1e63e3d128cdca935b-8000.html

Did you see similar problems in the Adobe's forums (https://forums.adobe.com/community/air)?

0
Comment actions Permalink

Hi Alexander, thanks for your reply. We are currently using AIR 26, we have also tried using 28 but no luck either.

I didn't know IDEA uses directly ADT tool to package. We are currently using Flash Builder 4.7 but we wanted to switch to your framework, as far as I know FB also uses ADT tool to compile/package. We can nevertheless, package release builds with it. The error message that is prompted by idea ("Failed to load a certificate") is it directly exported from the ADT tool response?

The only thing we found by looking at the forums is the following post (https://forums.adobe.com/thread/2297836?start=40&tstart=0) which reads:

"Hi All,

AIR team has investigated this issue and found that unfortunately there is nothing that AIR team can fix here as the certificate type (1024 RSA) is not supported by the latest Java(8u121). They have raised a bug with Oracle to see if they can provide a fix for this issue in the next Java update. "

Could it be possible that we actually need Intellij IDEA framework itself to be using a different Java version (instead of only modifying the jvm.config file?)

0
Comment actions Permalink

Yes, all errors that you see in the IDE come directly from the ADT tool.

It looks like your problem is not the 1024 RSA certificate type, otherwise, you'd fail at earlier step (you wouldn't be able to enter the password in the IDE dialog). But I can't say exactly what the problem is. The only info I have is the error message that you've pasted.

Did this certificate ever work with IntelliJ IDEA? Try AIR SDKs older than 26. Try playing with the ADT tool from the command line.

0
Comment actions Permalink

Thanks Alexander, we will play around with the ADT tool to get it working. Will update here as soon as we have news.

Regards,

0
Comment actions Permalink

Though I use the latest 2018 version of IntelliJ IDEA, I use an old version of IntelliJ IDEA (version 15) to build my APKs with my old1024-RSA P12 certificate. This old version stayed on my Mac but maybe you can download it and use it at https://www.jetbrains.com/idea/download/previous.html  

Regards,

0
Comment actions Permalink

Hi Pierre, thanks for the suggestion. We haven't got time yet to play with the ADT tool to try find the source of the issue, anyways, we will try your suggestion if that doesn't work. Thank you very much for the reply

0
Comment actions Permalink

Nice one Justin, that just saved me hours!

0
Comment actions Permalink

Justin, thank you!

Your advice worked for me, but Idea on olderst JRE looks strange, so I will be required to switch to old JRE only for packaging AIR apps. 

I've tried to use jvm.config in Flex SDK but got NO reaction at all. Still Idea option JRE is used... It would be so nice to specify JRE in jvm.config . Do you have any solution?

0
Comment actions Permalink

Does it use older version if you run packaging from command line?

0
Comment actions Permalink

Yaroslav, how could I try it? Never tried before

0
Comment actions Permalink

Yaroslav,

Not very comfortable to use ADT command line. Much easier to switch JRE inside Idea. But the most perfect way is to get this bug fixed. 

0
Comment actions Permalink

Feel  free to open new issue on YouTrack: http://youtrack.jetbrains.com/issues/IDEA.

0

Please sign in to leave a comment.