1

We have renewed the certificate of one of our server (apache httpd). For a webservice interface (for mobile clients) we need the certificate also on tomcat, means: stored in a java keystore. We have already our certificate on the java keystore, but the root certificates are still missing.

If we list the details of the old keystore certificate we get:

/> keytool -list -v -keystore 2012.jks -alias ourcertificate
Keystore-Kennwort eingeben:  
Aliasname: ourcertificate
...
...
...
Zertifikatkettenlänge: 3  // certificate length: 3
Zertifikat[1]:            // certificate[1]
...
...
...
Zertifikat[2]:
...
...
...
Zertifikat[3]:
...
...
...

Important is here that all ca certificates are already a part of the "ourcertificate" alias of the keystore.

If we list the details of the new certificate (of the new keystore file) we get:

/> keytool -list -v -keystore 2015.jks -alias ourcertificate
Keystore-Kennwort eingeben:  
Aliasname: ourcertificate
...
...
...
Zertifikatkettenlänge: 1   // certificate length: 1
Zertifikat[1]:             // certificate[1]
...
...
...

The ca certificates are missing here. To import the CA certificates we trying following command:

/> keytool -import -alias alpha -file gsalphasha2g2r1.der -keystore 2015.jks
Keystore-Kennwort eingeben:  
...
... 
...
Diesem Zertifikat vertrauen? [Nein]:  Ja    // trust this certificate? [No]: Yes
Zertifikat wurde Keystore hinzugefügt       // certificate successfully added to keystroe

But this adds a new trusted certificate into the keystore (with a new alias). Also adding the root ca certifiacte don't helps. If we list the certificate details of the "ourcertificate" entry we still get a certificate length 1. Also specifying "ourcertificate" while importing the ca certificates don't helps (we get then an error that the public keys in the answer and keystore are not identically; "Keytool-Fehler: java.lang.Exception: Public Keys in Antwort und Keystore stimmen nicht überein" in german)

What's wrong? How can we import the ca certificates into a java keystore so that the ca certificates will be linked to "ourcertificate"

EDIT

I think I must also describe how we have import the private key and certificate pair. Thats a little bit difficult, because the CSR was made with openssl. We had need to import the private key and the certificate into the keystore file. To do that we have used following Java class file: http://www.agentbob.info/agentbob/79-AB.html (the ImportKey class). We know that this works. But may be there was an error while importing the key and the certificate ...

Steffen
  • 989
  • 3
  • 13
  • 31
  • It's good practice to put your application layer (I.e. Tomcat) behind a presentation layer. You can use Apache to proxy requests to your Tomcat server, which means you only need to configure HTTPS on Apache. – Alastair McCormack Dec 20 '15 at 11:51
  • @AlastairMcCormack: Of course, that's right. And we do that so in several other projects. But in this case the webservice interface of the tomcat application only supports https connections, so that we have now the problem to create a valid keystore file with all ca certificates ... – Steffen Dec 20 '15 at 12:00
  • A proxy does not prevent you from running your service over HTTPS. You can run HTTPS from your proxy to Tomcat if you desire, using self-signed certs to reduce complication. Only SSL client authentication with user authorisation makes things tricky, but that can be negated by having Apache pass the authentication headers. I'm thinking of a solution for your asked problem – Alastair McCormack Dec 20 '15 at 12:06
  • Have you tried passing `-trustcacerts` when importing? – Alastair McCormack Dec 20 '15 at 12:25
  • Yes. I have tried also passing "-trustcacerts" with the same result – Steffen Dec 20 '15 at 12:28
  • I wasn't aware that the intermediate certs had to be linked within the JKS for this work (I've created many JKS files over the years and a JKS tool: https://code.google.com/p/java-keyutil/). Are clients showing a break in the trust chain? – Alastair McCormack Dec 20 '15 at 12:33
  • Mmmhh. Seems you are right. There must be somewhere else an error ... . We don't get an error on client side. We get an error on server side: `javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown` . May be our certificate inside the keystore is wrong/invalid ... Not sure whats going on ... – Steffen Dec 20 '15 at 12:46
  • How did you import / request the cert in the firstplace? – Alastair McCormack Dec 20 '15 at 12:50
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/33236/discussion-between-steffen-and-alastair-mccormack). – Steffen Dec 20 '15 at 12:54

0 Answers0