We have renewed the certificate of one of our server (apache httpd). For a webservice interface (for mobile clients) we need the certificate also on tomcat, means: stored in a java keystore. We have already our certificate on the java keystore, but the root certificates are still missing.
If we list the details of the old keystore certificate we get:
/> keytool -list -v -keystore 2012.jks -alias ourcertificate
Keystore-Kennwort eingeben:
Aliasname: ourcertificate
...
...
...
Zertifikatkettenlänge: 3 // certificate length: 3
Zertifikat[1]: // certificate[1]
...
...
...
Zertifikat[2]:
...
...
...
Zertifikat[3]:
...
...
...
Important is here that all ca certificates are already a part of the "ourcertificate" alias of the keystore.
If we list the details of the new certificate (of the new keystore file) we get:
/> keytool -list -v -keystore 2015.jks -alias ourcertificate
Keystore-Kennwort eingeben:
Aliasname: ourcertificate
...
...
...
Zertifikatkettenlänge: 1 // certificate length: 1
Zertifikat[1]: // certificate[1]
...
...
...
The ca certificates are missing here. To import the CA certificates we trying following command:
/> keytool -import -alias alpha -file gsalphasha2g2r1.der -keystore 2015.jks
Keystore-Kennwort eingeben:
...
...
...
Diesem Zertifikat vertrauen? [Nein]: Ja // trust this certificate? [No]: Yes
Zertifikat wurde Keystore hinzugefügt // certificate successfully added to keystroe
But this adds a new trusted certificate into the keystore (with a new alias). Also adding the root ca certifiacte don't helps. If we list the certificate details of the "ourcertificate" entry we still get a certificate length 1. Also specifying "ourcertificate" while importing the ca certificates don't helps (we get then an error that the public keys in the answer and keystore are not identically; "Keytool-Fehler: java.lang.Exception: Public Keys in Antwort und Keystore stimmen nicht überein" in german)
What's wrong? How can we import the ca certificates into a java keystore so that the ca certificates will be linked to "ourcertificate"
EDIT
I think I must also describe how we have import the private key and certificate pair. Thats a little bit difficult, because the CSR was made with openssl. We had need to import the private key and the certificate into the keystore file. To do that we have used following Java class file: http://www.agentbob.info/agentbob/79-AB.html (the ImportKey class). We know that this works. But may be there was an error while importing the key and the certificate ...
0 Answers