stackoom
  简体   繁体   中英

Correct way to import root and intermediate certificates in Java cacerts

 原文  2017-02-03 15:42:41       java/ ssl/ certificate/ ssl-certificate/ x509certificate

Question

My company has its own ROOT certificate. Using this certificate they signed intermediate certificate.

Then we issued CSR for server certificate and signed it with intermediate certificate.

What is a correct way to import the ROOT certificate and intermediate in Java cacerts file, in order to be able to establish SSL connection with the server which has server certificate signed by the intermediate ?

I used OpenSSL to test certificate chain on the server:

openssl s_client -showcerts -connect host:443

CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
   i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA

1 answers

solution1
 8 ACCPTED  2017-02-04 08:15:29

You only need to import the root certificate in the truststore.

 keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit  -alias aliasName -file path/to/certificate.cer

The SSL server during handshake should provide the certificate and the intermediates. The TrustManager of your client will validate the certification chain until root is found

Note: It is recommended to use your own truststore instead of modifying cacerts

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java client not picking root/intermediate certificates from Windows Trust Store Obtaining all certificates in a chain; both intermediate and root Import Windows certificates to Java Getting root and intermediate certificates from an end-entity Can we export certificates from JRE's "cacerts" file and import it to higher JRE version? Import .cer to cacerts using image openjdk - java.io.FileNotFoundException How is is possible that Java 11 validates a certificate whom intermediate certificate isn't avalaible in cacerts? Unable to import certificate to cacerts Java Web Start error when running signed jar with trusted certificates imported into cacerts keystore How to add SSL certificates to cacerts and keystore?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM