Adding certificate chain to p12(pfx) certificate
Asked Answered
M

2

29

I have aplication in java and cxf which connects to WebServices with client certificate.

I got certificates form WebService owner

  • certificate.p12
  • certificate.pem
  • certificate.crt
  • trusted_ca.cer
  • root_ca.cer

I have problem with straightforward converting this p12 certficate to working jks keystore requred by java.

I did this:

keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore certificate1.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret
keytool -import -alias trusted -file trusted_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret

but this jks doesn`t work and I get HTTP response '403: Forbidden' when using this certificate1.jks

However if I import this p12(pfx) certificate to Internet Explorer and then export this certificate from IE to pfx format selecting "Include all certificates in the certification path" checkbox and use:

keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 -destkeystore certificate2.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret
keytool -import -alias trusted -file trusted_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret

Then everything works fine and I can connect to WebService using certificate2.jks.

I found that original certificate.p12(pfx) contains only one entry (Certificate chain length: 1):

keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v


*******************************************
*******************************************

Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=MyCompany, [email protected], O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
         MD5:  XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
         SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

...

*******************************************
*******************************************

while certificate.pfx exported from IE with "Include all certificates in the certification path" contains certificate chain with second Trusted CA certificate (Certificate chain length: 2):

keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v



*******************************************
*******************************************

Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=MyCompany, [email protected], O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
         MD5:  XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
         SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

...

Certificate[2]:
Owner: CN=Trusted CA, O=ble ble ble, C=PL
Issuer: CN=ROOT CA, O=ble ble ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
         MD5:  XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
         SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:


*******************************************
*******************************************

So to solve my problem I need to have p12 certificate with chain to trusted CA certificate. I can do this by importing p12 to IE and then exporting back with "Include all certificates in the certification path".

How can I do this without IE using keytool or other tool?

Bary

Mackenie answered 13/9, 2013 at 13:24 Comment(0)
M
59

Own answer.

I figured out how to do this with OpenSSL:

openssl pkcs12 -in certificate.p12 -out clientcert.pem -nodes -clcerts
openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem
openssl x509 -in root_ca.cer -inform DER -out root_ca.pem
cat clientcert.pem trusted_ca.pem root_ca.pem >> clientcertchain.pem
openssl pkcs12 -export -in clientcertchain.pem -out clientcertchain.pfx
Mackenie answered 16/9, 2013 at 14:39 Comment(4)
Add to add the -nokeys option to the last command. I have OpenSSL 1.0.1e-fips 11 Feb 2013Sharpe
I spent hours looking for this functionality. Fantastic! I needed it for Tomcat 7.0.63 on Windows 2008 R2.Tosch
@Sharpe you would only use the -nokeys option if you didn't want the private key to be stored in the resulting pfx filePhilpott
Can we do this with Java? I mean, read a pfx file without its certificate chain, and import all the necessary chain entries and export to a new file with the complete chain?Leonardaleonardi
S
-1

If you are working in Windows OS, you can install the certificate as usual through the IIS, then open mmc.exe -> File -> Add / Remove Snap In -> Double click on "Certificates" Select "Computer Account", next, finish, OK.

enter image description here

Expand certificates, if needed add the certificates from the CA into "Intermediate Certification Authorities" or "Trusted Root Certification Authorities".

enter image description here

Then go to "Web Hosting", here must be your webSite certificates, select the certificate, left click on it, select Export and follow the wizard, the important things to check are "Include Private Key", Include all certificates on the chain, export all extended properties, you must set a password, select the output flie name and this is it. Now you have a certificate with the complete chain on it. No more problems with Facebook or similar.

Strobel answered 11/4, 2019 at 19:30 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.