Geek Answers Handbook

Import Thawte Trial Certificates into the Java Key Vault

I am trying to configure a Tomcat server using SSL. I created a key pair this way:

$ keytool -genkeypair -alias tomcat -keyalg RSA -keystore keys

Next, I create a certificate signing request:

 $ keytool -certreq -keyalg RSA -alias tomcat -keystore keys -file tomcat.csr

I will then tomcat.csr contents of tomcat.csr to the form on the Thawte website, requesting a trial SSL certificate. In return, I get two certificates separated by the symbol -----BEGIN ... -----END , which I save in tomcat.crt and thawte.crt . (Thawte calls the second certificate the certificate "CA Certificate Thawte Test CA").

When I try to import any of them, it fails:

 $ keytool -importcert -alias tomcat -file tomcat.crt -keystore keys Enter keystore password: keytool error: java.lang.Exception: Failed to establish chain from reply $ keytool -importcert -alias thawte -file thawtetest.crt -keystore keys Enter keystore password: keytool error: java.lang.Exception: Input not an X.509 certificate

Adding the -trustcacerts parameter to any of these commands does not change anything.

Any idea what I'm doing wrong here?

+7
ssl tomcat pki
source share
3 answers

Finally, I realized what was going on here. It turns out that the answers I received from Thawte are formatted as PKCS # 7, while keytool awaiting certification in the X.509 format.

openssl can be used to convert certificates from one format to another:

 $ openssl pkcs7 -in thawtetest.crt -print_certs | openssl x509 > thawtetest.x509

Now you can import thawtetest.x509 with keytool and tomcat.crt right behind it.

+14
source share

You should be able to import PKCS # 7 chains using keytool if you are using a newer version. Exporting certificates to separate files will also work, but if you are using the latest version of keytool, there should be no problem importing the PKCS # 7 file itself.

0
source share

Rushing into the same issue, I found this post that helped me. I put the test certificates I received in one file and used keytool for import, making sure that the ALIAS (keytool -alias param) that I used was different (i.e. not the same alias that I used when creating certificates for request). This is a fancy error message that he just doesn't like when you try to import it into the same alias.

0
source share

More articles:


All Articles