![]() There is even a more simple solution as asked for in some comments (without saving root and intermediate certs in /etc/ssl/certs)įirst copy all the needed root and intermediate certificates in a folder (in our example the folder is '~/certs' and our two certificates are named 'Primar圜A.pem' and 'Secondar圜A.pem'): mkdir ~/certs I just tried another way by inserting the chain directly in the PKCS#12 certificate and get the following error: $ openssl pkcs12 -export -CAfile chain.pem -in mycert.cert -inkey mykey.pem -out key_and_cert.p12 -name tomcat -chainĮrror unable to get issuer certificate getting chain.īut the chain certificate is ok: $ openssl verify chain.pem I also tried to import the intermediate certificate first and then call -importkeystore. When importing the pkcs12 certificate, there is no certificate chain error, because the -importkeystore command doesn't checks the chain. I think tomcat doesn't deliver the intermediate certificate although it knows it. Verify return code: 21 (unable to verify the first certificate) New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA SSL handshake has read 1777 bytes and written 289 bytes Issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 Subject=/C=DE/OU=Domain Control Validated/CN= I:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 Verify error:num=21:unable to verify the first certificateĠ s:/C=DE/OU=Domain Control Validated/CN= Verify error:num=27:certificate not trusted Verify error:num=20:unable to get local issuer certificate ![]() Running "openssl s_client -connect :443 -showcerts" returns CONNECTED(00000003)ĭepth=0 C = DE, OU = Domain Control Validated, CN = The certificate is not trusted because no issuer chain was provided. When I restart tomcat, it logs no errors in catalina.out, everything seems to be ok.īut when I run firefox, it reports uses an invalid security certificate. Here the output of "keytool -keystore keystore.jks -list": Keystore-Typ: JKS Then I import the intermediate certificate chain.crt: keytool -import -trustcacerts -alias root -file chain.crt -keystore keystore.jks ![]() So I created a PKCS#12 file out of my key and my certificate: openssl pkcs12 -export -in mycert.cert -inkey mykey.pem -out key_and_cert.p12Īnd then created a keystore containing it: keytool -importkeystore -deststorepass -destkeystore keystore.jks -srckeystore key_and_cert.p12 -srcstoretype PKCS12 -srcstorepass Then I sent the csr to a CA and got the certificate back. I created a key and a csr on console, using the openssl executable. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |