0

I have problems with appending the root and intermediate certificate to my SSL certificate. Please see below the steps.

  1. Create Java keystore named jira.corp.net.jks with Self signed certificate jira.corp.net
  2. Create a CSR to get CA signed certificate for jira.corp.net
  3. Received CA signed certificate and imported jira.corp.net into jira.corp.net.jks via Import Reply option in Keystore Explorer
  4. Appended intermediate and root certificate

The above steps works perfectly fine. Now, since my application requires the signed certificate in a different keystore cacerts, I imported the signed certificate. But now I don't get option to append the intermediate and root certificate. Because of this I get the below error,

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I understand that since the certificate request was created in a different keystore, the append option is not available. But how do I import the root and intermediate certificate in this case?

I have checked many blogs but couldn't make it work. If someone has knowledge on how to fix, please suggest.

Thanks!

user1194310
  • 129
  • 1
  • 4
  • 14
  • You do not add your signed certificate in the `cacerts`, you need to add the CA cert to it using the `keytool -importcert` command. If you are using KeyStore-Explorer, there is a shortcut option to open the cacerts file, I think it is called 'File > Open Special', and in it you import the CA cert using 'Add trusted cert'. – always_a_rookie Jun 15 '21 at 13:52
  • @always_a_rookie thanks for your response. When I say signed certificate, it is provided by CA authority only. The problem is I can add only the underlying certificate but not the intermediate and root certificates. I do not get the option to append the CA certificate. – user1194310 Jun 15 '21 at 14:14
  • You perform 'appending the CA certificate' when you add the signed cert from the CA to your original keystore, which you already did in point 3 and 4. Since you are now trying to add the CA cert to the `cacerts`, you need to **trust it**, not append it. Look for the option 'Add trusted cert' once you open the cacerts file in the KeyStore-Explorer. – always_a_rookie Jun 15 '21 at 14:21

1 Answers1

0

Hi i usually generated the root CA with openssl and never worked importing that into the cacerts with keytools. You can instead generate it with this application i made out of desperation (it's a Java 11 app):

https://github.com/kendarorg/JavaCaCertGenerator

Its only purpose is to replace the generation of the private key and the root certificate, in a form "fit" for cacerts. From there you can produce the various certificates for the addresses and import the root CA inside the default cacert

Kendar
  • 692
  • 7
  • 25