allow to import certificate chains

Question

allow to import certificate chains

scop opened this issue 18 years ago · 2 comments

e.g. if an intermediary certificate is not the trust-store of a browser, tomcat may not just serve the leaf but must serve the entire chain.

for this to happen, it looks as if
Ralf Hauser@Acer_Ralf:/<3>RALFHA~1/Desktop> $JAVA_HOME/bin/keytool -list -keystore www.ks -v
Enter keystore password: importkey

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: importkey
Creation date: Nov 16, 2006
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=www.privasphere.com, OU=Secure Messaging, O=PrivaSphere AG, L=Zuerich, ST=ZH, C=CH
Issuer: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH
Serial number: 21e3
Valid from: Wed Oct 25 11:35:12 CEST 2006 until: Sat Oct 25 11:35:12 CEST 2008
Certificate fingerprints:
MD5: 30:10:0A:E5:91:35:47:36:AB:A2:45:08:55:19:4A:5F
SHA1: 7B:4B:19:30:B6:FB:E2:71:D5:2E:42:DF:FA:43:2D:9C:FD:03:CD:98
Certificate[2]:
Owner: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Serial number: 421fcec0
Valid from: Wed Mar 15 22:06:52 CET 2006 until: Tue Mar 15 22:06:52 CET 2016
Certificate fingerprints:
MD5: C5:59:4C:76:54:6C:A5:EA:2C:31:6F:61:D0:7C:12:39
SHA1: 67:EC:CD:0A:90:2E:86:8D:70:00:87:2E:A1:FD:79:C1:6B:CF:1F:AB
Certificate[3]:
Owner: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Serial number: 3ab6508b
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Certificate fingerprints:
MD5: 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
SHA1: DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9

is needed.

At least with root certificates that are not part of jre/lib/security/cacerts, it is tricky insert a chain under one alias.

It is with the windows cermgr possible to export a certificate chain into a p7b file, but the same error as attached appears and with the keytool command-line tool, you get
keytool error: java.lang.Exception: Input not an X.509 certificate

Reported by: ralfhauser

Answer 1 · 2006-11-16T14:36:09.000Z

chainImportFails.png error message

Original comment by: ralfhauser

Answer 2 · 2006-11-16T14:37:25.000Z

Logged In: YES
user_id=266141
Originator: YES

a work-around is in http://www.agentbob.info/agentbob/79.html

Original comment by: ralfhauser