Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow to import certificate chains #5

Open
scop opened this issue Nov 16, 2006 · 2 comments
Open

allow to import certificate chains #5

scop opened this issue Nov 16, 2006 · 2 comments
Assignees
@scop
Labels
auto-migrated sourceforge

Comments

@scop
Copy link
Owner

scop commented Nov 16, 2006

e.g. if an intermediary certificate is not the trust-store of a browser, tomcat may not just serve the leaf but must serve the entire chain.

for this to happen, it looks as if
Ralf Hauser@Acer_Ralf:/<3>RALFHA~1/Desktop> $JAVA_HOME/bin/keytool -list -keystore www.ks -v
Enter keystore password: importkey

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: importkey
Creation date: Nov 16, 2006
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=www.privasphere.com, OU=Secure Messaging, O=PrivaSphere AG, L=Zuerich, ST=ZH, C=CH
Issuer: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH
Serial number: 21e3
Valid from: Wed Oct 25 11:35:12 CEST 2006 until: Sat Oct 25 11:35:12 CEST 2008
Certificate fingerprints:
MD5: 30:10:0A:E5:91:35:47:36:AB:A2:45:08:55:19:4A:5F
SHA1: 7B:4B:19:30:B6:FB:E2:71:D5:2E:42:DF:FA:43:2D:9C:FD:03:CD:98
Certificate[2]:
Owner: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Serial number: 421fcec0
Valid from: Wed Mar 15 22:06:52 CET 2006 until: Tue Mar 15 22:06:52 CET 2016
Certificate fingerprints:
MD5: C5:59:4C:76:54:6C:A5:EA:2C:31:6F:61:D0:7C:12:39
SHA1: 67:EC:CD:0A:90:2E:86:8D:70:00:87:2E:A1:FD:79:C1:6B:CF:1F:AB
Certificate[3]:
Owner: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Serial number: 3ab6508b
Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021
Certificate fingerprints:
MD5: 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
SHA1: DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9

is needed.

At least with root certificates that are not part of jre/lib/security/cacerts, it is tricky insert a chain under one alias.

It is with the windows cermgr possible to export a certificate chain into a p7b file, but the same error as attached appears and with the keytool command-line tool, you get
keytool error: java.lang.Exception: Input not an X.509 certificate

Reported by: ralfhauser
@scop
Copy link
Owner Author

scop commented Nov 16, 2006
edited
Loading

chainImportFails.png error message

Original comment by: ralfhauser
chainimportfails

@scop
Copy link
Owner Author

scop commented Nov 16, 2006

Logged In: YES
user_id=266141
Originator: YES

a work-around is in http://www.agentbob.info/agentbob/79.html

Original comment by: ralfhauser

@scop scop self-assigned this Oct 16, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@scop scop

Labels
auto-migrated sourceforge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scop