We have Microsoft Authenticode certificates purchased from Thawte (.cer, pvk and spc files) and want to reuse them to sign java jar files. see http://www.thawte.com/code-signing/index.html In other words, I do not want to make a second (and unnecessary) purchase - to buy the Java code signing certs also listed below on that page. Note: Thawte allows this but will not support it.

Thawte_Code_Signing_Intermediate_CA.cer, Thawte_Primary_Intermediate_Root_CA.cer, Thawte_Primary_Root_CA_Cross.cer

I have the pvk and spc files.

How do I import the private and public keys and certificates into the keystore?

Following the steps here http://docs.oracle.com/javase/tutorial/security/toolsign/signer.html

keytool -import -trustcacerts -keystore mykeystore -alias primary_root -file Thawte_Primary_Root_CA_Cross.cer
keytool -import -trustcacerts -keystore mykeystore -alias intermediate_root -file Thawte_Primary_Intermediate_Root_CA.cer
keytool -import -trustcacerts -keystore mykeystore -alias myalias -file Thawte_Primary_Intermediate_Root_CA.cer

Trying to use Netbeans7.3 to sign the jar by pointing it to the keystore and doing a build produces:

jarsigner: Certificate chain not found for: primary_root. primary_root must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

I realize I must import the private and public keys and certificates into the keystore, but it is not clear how. Posts like this talk of .crt files, so it does not seem the same thing. https://stackoverflow.com/a/8224863/398348 also https://stackoverflow.com/a/9131421/398348

unable to load PKCS7 object

More details would help, however the files you list here seem to be CA certificate chain certificates e.g. none of the file names seem to indicate that it contains a code signing certificate. Guessing from your file names, you need to import the .spc and .pvk file to the keystore.

You have to have access to an OpenSSL command line tool to do that. Either use Linux/Unix machine or install CygWin to get access to it.

Convert spc file to a more sane format:

openssl pkcs7 -inform DER -in mycert.spc -print_certs -out mycert.crt

Use OpenSSL to convert keypair (correct .crt and corresponding .pvk file) to a PKCS#12 keystore

openssl pkcs12 -export -in mycert.crt -inkey mycert.pvk \
           -out mycert.p12 -name some-alias

Convert PKCS#12 format file into Java keystore format

keytool -importkeystore \
    -deststorepass changeit -destkeypass changeit -destkeystore mycert.keystore \
    -srckeystore mycert.p12 -srcstoretype PKCS12 -srcstorepass some-password \
    -alias some-alias

See also:

http://www.drh-consultancy.demon.co.uk/pkcs12faq.html

importing an existing x509 certificate and private key in Java keystore to use in ssl

It is clear that you type wrong alias "primary_root" when trying to sign your jar.

Check your alias, using

keytool.exe -list -keystore YOUR_KEYSTORE -storetype YOUR_STORE_TYPE