Login/Register
Importing Thawte trial certificates into a Java keystore
Asked Answered
Solved tomcatsslpkithawte
D

3

8

I'm trying to configure a Tomcat server with SSL. I've generated a keypair thus:

$ keytool -genkeypair -alias tomcat -keyalg RSA -keystore keys

Next I generate a certificate signing request:

$ keytool -certreq -keyalg RSA -alias tomcat -keystore keys -file tomcat.csr

Then I copy-paste the contents of tomcat.csr into a form on Thawte's website, asking for a trial SSL certificate. In return I get two certificates delimited with -----BEGIN ... -----END, that I save under tomcat.crt and thawte.crt. (Thawte calls the second certificate a 'Thawte Test CA Root' certificate).

When I try to import either of them it fails:

$ keytool -importcert -alias tomcat -file tomcat.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply

$ keytool -importcert -alias thawte -file thawtetest.crt -keystore keys
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate

Adding the -trustcacerts option to either of these commands doesn't change anything either.

Any idea what I am doing wrong here?

Designedly answered 9/4, 2010 at 8:42 Comment(0)
D
14

I finally understood what was going on here. It turns out that the replies that I got from Thawte are formatted as PKCS#7, whereas keytool expects certificated in the X.509 format.

openssl can be used to convert certificates from one format to another:

$ openssl pkcs7 -in thawtetest.crt -print_certs |
  openssl x509 > thawtetest.x509

Now you can import thawtetest.x509 with keytool, and tomcat.crt right behind it.

Designedly answered 12/4, 2010 at 6:43 Comment(1)
Thanks... You would think they would mention this in the e-mail... Since the intermediate one (also in the e-mail) is x509!Insoluble
W
0

You should be able to import PKCS#7 chains using keytool, so long as you're using a more recent version. Exporting the certs into distinct files will work, too, but if you're running a recent version of keytool there should be no problem importing the PKCS#7 file itself.

Workday answered 28/6, 2010 at 19:53 Comment(0)
C
0

Having run into the same trouble I found this post which helped me out. I put the trial certificates I received into a single file and used keytool to import making sure the ALIAS (keytool -alias param) I used was different (ie not the same alias I used when creating the certificates for the request). It is a bizarre error message given it simply doesn't like you trying to import to the same alias.

Cymoid answered 3/10, 2010 at 8:31 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.