Skip to main content

keytool - unable to create chain of trust

1 reply [Last post]
wheinsohn
Offline
Joined: 2008-12-19
Points: 0

The goal is to import an updated signed CSR from a CA to my server keystore, because my domain certificate is outdated and needs to get renewed. The keystore has 2 entries:

- the old CA certificate
- the outdated certificate for my domain (which includes the above CA certificate, resulting in a cert chain of actually 2 entries)

Since I am unable to add the updated cert for my domain, as long as the outdated one is included, I delete the current one:

%JAVA_HOME%/bin/keytool -delete -v -keystore -alias

(the outdated cert is gone along with the cert chain)
Then I also delete the old CA certificate since the one in the received CSR seems to be a new one, leaving the keystore quite empty.
In the received CSR the chain of certs is viewable, so I used the fingerprints of the two signing CA certs to download them from their websites (equifax and trustcenter respectively).

Afterwards I start adding the certificates:
%JAVA_HOME%/bin/keytool -import -v -keystore -alias root -file Equifax_Secure_Certificate_Authority.cer
%JAVA_HOME%/bin/keytool -import -v -keystore -alias trustcenterca -file tc_ssl_ca_pr.pem
%JAVA_HOME%/bin/keytool -import -v -keystore -alias -file .pem

That seems to work, but when I list the content of the keystore, three entries show up, but all for themselfes without building a chain of trust.

Any help is much appreciated.
Thanks,
Werner

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
wheinsohn
Offline
Joined: 2008-12-19
Points: 0

I found the solution to my problem. The step involving the removal of the domain alias seems to also remove the private key of the keystore.

Nevertheless, the main problem was the provided keystore not matching the one the csr was generated from. That really took a long road to figure that out.
After having the right keystore and issuing the last two import commands from above, the trusted certificate chain was created as indended.

Hopefully this helps someone else...
Cheers,
Werner