If you use self-signed certificate or you certificate provider unknown for your system (as StartSSL in my case), then you get x509: certificate signed by unknown authority error when try to push or clone/fetch your repo with LFS files.
In this case you can tell Git and Git LFS to ignore SSL certificate verification.
It is possible to disable it for one command:
$ GIT_SSL_NO_VERIFY=1 git ...
Or you can disable it completely to repository:
$ git config http.sslverify false
$ git ...
Create a key and a certificate signing request with OpenSSL:
openssl req -new -newkey rsa:4096 -keyout your_key.pem -out your_csr.pem
On StartSSL site under “Object Code Signing” in the second tab on the StartSSL control panel you paste the content of your_csr.pem file and then submit it. At the end of this procedure you receive the certificate in a text field, which you save into a text file under for example your_cert.pem name.
keytool can't import keypair directly for now, but it can inport keystore in different storefornat. That is why intermediate keystore of keypair must be created and pkcs12 storetype used for this:
openssl pkcs12 -export -in your_cert.pem -inkey your_key.pem -out your_keypair.p12 -name YourAlias
During execution of this command you will be prompt for your_key.pem pass phrase which was entered on key generation and for new export password.
Now create final keystore in JKS storetype and add StartSSL base certificates for proper certificate chaining (this step must be done, because base StartSSL certificates is not including by default in JDK yet):
keytool -import -noprompt -trustcacerts -alias startcom.ca -file ca.crt -keystore your_keystore.jks -storepass <your_keystore_pass>
keytool -import -alias startcom.ca.sub -file sub.class2.code.ca.crt -keystore your_keystore.jks -storepass <your_keystore_pass>
The final step it to add keypair from intermediate keystore to final keystore:
keytool -importkeystore -destkeystore your_keystore.jks -deststorepass <your_keystore_pass> -destkeypass <your_key_pass> -srckeystore your_keypair.p12 -srcstoretype PKCS12 -srcstorepass <your_keypair_pass> -alias YourAlias
For now you can signed your jar with created key:
jarsigner -verbose -keystore your_keystore.jks -storepass <your_keystore_pass> -keypass <your_key_pass> YourJar.jar YourAlias
Check that jar was signed correct
jarsigner -verbose -verify -certs YourJar.jar -keystore your_keystore.jks
