3

I was tasked to set up an ssl in a server, this server uses wildfly, so I have to make a keystore that contains all of the certificates that I got, the server certificate, the intermediate and the keyfile.

First I chained up the server cert and the intermediate cert, and then I used openssl to create a pkc12 file. I then used keytool to create a keystore from that pkc12 file.

The problem is when I open the keystore file or the pkc12 file, I find that it doesn't contain the intermediate cert, it only has the server cert. I've done this procedure before and it worked

Anyone knows what can the problem be ?

Extra info : the intermediate certificate is a little old (from 2010) and uses sha1 and will expire in 9 months which is weird, unlike my server cert which is new and uses sha256.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
logax
  • 99
  • 1
  • 14
  • Since you don't include the exact commands you used it is unclear what exactly you did and probably impossible to determine if you did everything correctly and/or what what went wrong. - See https://meta.serverfault.com/questions/3608/how-can-i-ask-better-questions-on-server-fault/3609#3609 – HBruijn May 19 '19 at 13:04
  • I'll copy paste exactly what i did tomorrow, hope that will help. – logax May 19 '19 at 15:45

1 Answers1

1

Apparently your problem could be a wrong intermediate certificate.

To ensure that you have the correct intermediate certificate.

  • Run the following command for the server certificate:

    openssl x509 -noout -text -in server.pem | grep 'CA Issuers'

  • Then open URL found by grep: 

    wget http://url/ -O intermediate.der

  • Convert downloaded certificate into PEM format: 

    openssl x509 -in intermediate.der -inform DER -outform PEM -out intermediate.pem

Now you know for sure that intermediate.pem is the correct intermediate certificate for your server certificate.

Assume, there is one only intermediate certificate in a chain. If there are more, you would need to repeat the commands above for intermediate.pem to get intermediate2.pem and so on.

Run the commands below to create JKS store.

  • Create certificate bundle:

    cat server.pem intermediate.pem > bundle.pem

  • Create pfx/pkcs12 format bundle:

    openssl pkcs12 -export -out bundle.pfx -inkey server.key -in bundle.pem

  • Create JKS keystore:

    keytool -importkeystore -srckeystore bundle.pfx -srcstoretype pkcs12 -destkeystore store.jks -deststoretype JKS

  • Check keystore:

    keytool -v -list -keystore store.jks

You should see the following listed:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: May 19, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=example.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
...
Certificate[2]:
Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
...
Sergey Nudnov
  • 833
  • 6
  • 12