setting-up ssl certificate on Tomcat: Invalid chain

0
votes

I'm trying to set-up a Thawte 123SSL certificate on my server but i've lost the original keystore used to generate the CSR. However I have the .p12 file with the private key and the .crt, so I created a new keystore using the sentence:

keytool -importkeystore -srckeystore file.p12 -srcstoretype pkcs12 -destkeystore /path/to/keystore.jks

After that, I added the intermediate CA certificates as:

keytool -import -alias Primary -trustcacerts -file SSL123_PrimaryCA.pem -keystore keystore.jks

keytool -import -alias Secondary -trustcacerts -file SSL123_SecondaryCA.pem -keystore keystore.jks

Then I added a Connector port to my server.xml

I think that's all, but when I check the status with Thawte Certificate Checker https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO9555 failed due to Invalid Chain:

Please install or replace the following intermediate CA certificates on your Web or Application server and perform this test again.

So.. what exactly am I doing wrong? How can I fix that?

Thanks for any advice!

2
tomcatsslchainthawte

2 Answers

1
votes

Importing the intermediate certificates in other aliases won't have any effect, you need to import the whole chain in one go into the alias where the private key is, as described in this answer.

0
votes

Keystores are a little tricky to work with.

When you look at your keystore by performing "keytool -list -v -keystore [keystorename]" and see multiple certificates chaining then more than likely your installation of the intermediates is fine. The Thawte checker is slightly out of date and is expecting a certificate chain that might differ from modern standards.

Depending on the version of keytool it might not like the .pem extension of those files to

keytool -import -trustcacerts -alias secondaryIntermediate -keystore your_keystore_filename -file secondary_inter.cer

keytool -import -trustcacerts -alias primaryIntermediate -keystore your_keystore_filename -file primary_inter.cer

If you play with keystores a lot there is a GUI tool called portecle http://portecle.sourceforge.net/ thats free to download online that you can use. that makes life a lot easier for fixing and playing with keystores.