keytool - unable to create chain of trust
The goal is to import an updated signed CSR from a CA to my server keystore, because my domain certificate is outdated and needs to get renewed. The keystore has 2 entries:
- the old CA certificate
- the outdated certificate for my domain (which includes the above CA certificate, resulting in a cert chain of actually 2 entries)
Since I am unable to add the updated cert for my domain, as long as the outdated one is included, I delete the current one:
%JAVA_HOME%/bin/keytool -delete -v -keystore -alias
(the outdated cert is gone along with the cert chain)
Then I also delete the old CA certificate since the one in the received CSR seems to be a new one, leaving the keystore quite empty.
In the received CSR the chain of certs is viewable, so I used the fingerprints of the two signing CA certs to download them from their websites (equifax and trustcenter respectively).
Afterwards I start adding the certificates:
%JAVA_HOME%/bin/keytool -import -v -keystore -alias root -file Equifax_Secure_Certificate_Authority.cer
%JAVA_HOME%/bin/keytool -import -v -keystore -alias trustcenterca -file tc_ssl_ca_pr.pem
%JAVA_HOME%/bin/keytool -import -v -keystore -alias -file .pem
That seems to work, but when I list the content of the keystore, three entries show up, but all for themselfes without building a chain of trust.
Any help is much appreciated.