Validate CSR against keystore

Question

I used keytool to generate a keystore and, from that, generated a CSR:

keytool -genkey \
    -alias server \
    -keyalg RSA \
    -keysize 2048 \
    -keystore api_annacares_com.jks \
    -dname "CN=api.example.com, O=Acme Ltd, L=Sydney, ST=New South Wales, C=AU"
keytool -certreq \
    -alias server \
    -file api_example_com.csr \
    -keystore api_example_com.jks

I submitted the CSR to Comodo and received my PositiveSSL cert and intermediate certificates.

I imported them as follows:

./glassfish4/bin/asadmin change-master-password --savemasterpassword=true
keytool -importkeystore \
    -srckeystore api_example_com.jks \
    -destkeystore glassfish4/glassfish/domains/domain1/config/keystore.jks
keytool -import -trustcacerts \
    -alias AddTrustExternalCARoot \
    -file AddTrustExternalCARoot.crt \
    -keystore glassfish4/glassfish/domains/domain1/config/keystore.jks
keytool -import -trustcacerts \
    -alias COMODORSAAddTrustCA \
    -file COMODORSAAddTrustCA.crt \
    -keystore glassfish4/glassfish/domains/domain1/config/keystore.jks
keytool -import -trustcacerts \
    -alias COMODORSADomainValidationSecureServerCA \
    -file COMODORSADomainValidationSecureServerCA.crt \
    -keystore glassfish4/glassfish/domains/domain1/config/keystore.jks
keytool -import -trustcacerts \
    -alias server \
    -file api_example_com.crt \
    -keystore glassfish4/glassfish/domains/domain1/config/keystore.jks

I received no errors at this point, but when I started the server and tried using https instead of http, I got an SSL connection error from the browser. Other diagnostic tools available on the Internet simply reported that there is no SSL certificate. When I used keytool to list the certificates installed in the keystore, it reported all the certificates as individual certificates rather than as a chain.

I then tried something else... I used Keychain Access in OS X to produce a p7b file containing the entire certificate path, from the root all the way down to my certificate. Using this method, I was able to verify in Keychain Access that the entire certificate chain is valid. I then tried importing this using keytool. (I started again with a fresh installation of GlassFish.)

./glassfish4/bin/asadmin change-master-password --savemasterpassword=true
keytool -importkeystore \
    -srckeystore api_example_com.jks \
    -destkeystore glassfish4/glassfish/domains/domain1/config/keystore.jks
keytool -importcert -v -trustcacerts \
    -alias server \
    -file api.example.com.p7b \
    -keystore glassfish4/glassfish/domains/domain1/config/keystore.jks

This time keytool produced an error message:

keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
        at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3375)
        at sun.security.tools.KeyTool.installReply(KeyTool.java:2583)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:998)
        at sun.security.tools.KeyTool.run(KeyTool.java:340)
        at sun.security.tools.KeyTool.main(KeyTool.java:333)

I want to rule out the possibility that I'm using a key store that doesn't match the CSR. I only generated one key store and one certificate signing request so I doubt I picked up the wrong keystore. Nevertheless, is there a command I can run to validate a certificate signing request against a keystore so it would tell me whether or not I have the right keystore?

Answer 1

Get rid of the '-trustcacerts' parameter in the step where you import the actual signed certificate via alias 'server'. It's not a CA certificate.

Answer 2

Although I didn't find a way to validate a CSR against a keystore to ensure they match, I did resolve my problem. I was first importing the keystore into GlassFish's keystore then attempting to import the certificates. I resolved this by first importing the certificates into the keystore from which the CSR was generated, then importing that keystore into GlassFish's keystore.