Databases
StackOverflow2013
Postsdbo
POAdding certificate chain to p12(pfx) certificate
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POAdding certificate chain to p12(pfx) certificate
    text
    copied!<p>I have aplication in java and cxf which connects to WebServices with client certificate.</p> <p>I got certificates form WebService owner</p> <ul> <li>certificate.p12</li> <li>certificate.pem</li> <li>certificate.crt</li> <li>trusted_ca.cer</li> <li>root_ca.cer </li> </ul> <p>I have problem with straightforward converting this p12 certficate to working jks keystore requred by java.</p> <p>I did this:</p> <pre><code>keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore certificate1.jks -deststoretype JKS -storepass secret keytool -import -alias root -file root_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret keytool -import -alias trusted -file trusted_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret </code></pre> <p>but this jks doesn`t work and I get HTTP response '403: Forbidden' when using this certificate1.jks</p> <p>However if I import this p12(pfx) certificate to Internet Explorer and then export this certificate from IE to pfx format selecting "Include all certificates in the certification path" checkbox and use:</p> <pre><code>keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 -destkeystore certificate2.jks -deststoretype JKS -storepass secret keytool -import -alias root -file root_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret keytool -import -alias trusted -file trusted_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret </code></pre> <p>Then everything works fine and I can connect to WebService using certificate2.jks.</p> <p>I found that original certificate.p12(pfx) contains only one entry (Certificate chain length: 1):</p> <pre><code>keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v ******************************************* ******************************************* Alias name: alias Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=MyCompany, EMAILADDRESS=my.email@domain.com, O=bla, C=PL Issuer: CN=Trusted CA, O=ble, C=PL Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Valid from: ... until: ... Certificate fingerprints: MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: X.X.XX.XX Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] ... ******************************************* ******************************************* </code></pre> <p>while certificate.pfx exported from IE with "Include all certificates in the certification path" contains certificate chain with second Trusted CA certificate (Certificate chain length: 2):</p> <pre><code>keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v ******************************************* ******************************************* Alias name: alias Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=MyCompany, EMAILADDRESS=my.email@domain.com, O=bla, C=PL Issuer: CN=Trusted CA, O=ble, C=PL Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Valid from: ... until: ... Certificate fingerprints: MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: X.X.XX.XX Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] ... Certificate[2]: Owner: CN=Trusted CA, O=ble ble ble, C=PL Issuer: CN=ROOT CA, O=ble ble ble, C=PL Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Valid from: ... until: ... Certificate fingerprints: MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Signature algorithm name: SHA1withRSA Version: 3 Extensions: ******************************************* ******************************************* </code></pre> <p>So to solve my problem I need to have p12 certificate with chain to trusted CA certificate. I can do this by importing p12 to IE and then exporting back with "Include all certificates in the certification path".</p> <p>How can I do this without IE using keytool or other tool?</p> <p>Bary</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload