1

I would like to create a keystore file with a certificate and a chain.cer file.

# openssl pkcs12 -export -chain -CAfile chain.cer -in example.cer -inkey example.key -out keystore.jks -name tomcat -passout pass:changeit
Error unable to get issuer certificate getting chain.

Question

Does anyone know what I am doing wrong?

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
Sandra
  • 9,973
  • 37
  • 104
  • 160

1 Answers1

1

keytool is the command you are looking for to work with Java keystore files. It is provided by the Java JDK. (You might be able to do it with openssl, but I am not aware of it.)

And to import a root or intermediate CA certificate into a keystore:

keytool -import -trustcacerts -alias root -file cachain.crt -keystore keystore.jks

For more information and examples:
The Most Common Java Keytool Keystore Commands

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
  • `keytool` looks very interesting. When I do this, Internet Explorer can still not see the chain cert. Works in FF and Chrome though. – Sandra Jan 15 '13 at 16:07
  • Interesting. Try adding the individual certificates instead of a chain? Sounds like an IE problem at that point. – Aaron Copley Jan 15 '13 at 16:16
  • Correction. Just tried with FF on Windows. It also thinks the certificate is untrusted. – Sandra Jan 15 '13 at 16:19
  • How do I "add the individual certificates? – Sandra Jan 15 '13 at 16:21
  • Instead of importing one chain cert, source the certificates (from the issuer) which make up the chain. Refer to the examples in the link above. – Aaron Copley Jan 15 '13 at 16:28