创建StartSSL证书的信任库

Question

I'm trying to create a truststore from StartSSL certificates to enable http2 in Wildfly 10.

So far I have tried this script and the instructions in this link .

So I executed the commands below:

wget http://www.startssl.com/certs/ca.cr
keytool -import -trustcacerts -keystore truststore -alias startcom.ca -file ca.crt
wget http://www.startssl.com/certs/sub.class1.server.ca.crt
keytool -import -trustcacerts -keystore truststore -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt

The first keytool command works ok, but I get get the following error in the last command:

keytool error: java.lang.Exception: Input not an X.509 certificate

Anyone have any idea what I'm doing wrong?

Answer - These are the correct files:

wget http://www.startssl.com/certs/ca.cr
keytool -import -trustcacerts -keystore truststore -alias startcom.ca -file ca.crt
wget https://www.startssl.com/certs/ca-g2.crt
keytool -import -trustcacerts -keystore truststore -alias startcom.ca-g2 -file ca-g2.crt
wget https://www.startssl.com/certs/ca-sha2.crt
keytool -import -trustcacerts -keystore truststore -alias startcom.ca-sha2 -file ca-sha2.crt

Answer 1

You are not doing it wrong. It is the second file ( sub.class1.server.ca.crt ) which you might have downloaded, is wrong. Upon inspection, the file had invalid data in it.

You can view this yourself by opening that file in a text editor, you might see this data - class1/sha2/der/sub.class1.server.sha2.ca.crt .

If you need the whole chain, you could grab it from any browser. Just click the green lock on the address bar, which will open the native Certificate Viewer, through which you can choose to download individual certificates or the whole chain.