0

I have three file sample.cert, sample.CA,sample.key provided by verisign. I need to create keystore for tomcat.As I searched I cannot use .key file directly to create keystore.

command used by me as below :

 pkcs12 -export -in sample.cert -inkey sample.key  -CAfile sample.crt -out sample.p12

(I changed sample.CA to sample.crt..)

I use openssl to create sample.p12 file. Then I import sample.p12 to sample.jsk by using keytool.

    keytool -importkeystore -srckeystore samp.p12 -destkeystore sample.jks -srcstoretype pkcs12

while I verify certificate it show Intermediate certificate chaining issue.

Any idea?

kundan bora
  • 3,821
  • 2
  • 20
  • 29

1 Answers1

1

I think you may just be missing one paramater in the openssl command. Add "-chain" to the end to see if that fixes things. Note that if openssl can't establish the chain, the command will fail.

Example:

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "tomcat" -CAfile MY-CA-CERT.crt -caname "myCA" -chain

The "-name" and "-caname" parameters give a "friendly name" to each certificate, and are optional.

The documentation for openssl pkcs12 and its various parameters is here.

gtrig
  • 12,550
  • 5
  • 28
  • 36
  • I also added -chain argument bt it show error "unable to get issuer certificate getting chain" – kundan bora May 24 '13 at 10:03
  • Can you post the sample files somewhere so we can verify the chain? – gtrig May 24 '13 at 18:26
  • gtrig actually these sample files are original files.It contain private key. – kundan bora May 25 '13 at 14:47
  • If my memory is correct, you can verify the certificate chain with this openssl command: openssl verify -CAfile cacert.pem mycert.pem. As indicated, both certs must be in pem format. You can also verify the private key goes with your cert with the commands on this [page](http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify). – gtrig May 26 '13 at 01:18