dplesa dplesa - 1 year ago 67
Java Question

Correct way to import root and intermediate certifiacts in Java cacerts

My company has its own

ROOT
certificate. Using this certificate they signed
intermediate
certificate.

Then we issued CSR for
server
certificate and signed it with
intermediate
certificate.

What is a correct way to import the
ROOT
certificate and
intermediate
in Java cacerts file, in order to be able to establish SSL connection with the server which has
server
certificate signed by the
intermediate
?

I used OpenSSL to test certificate chain on the server:

openssl s_client -showcerts -connect host:443

CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA

Answer Source

You only need to import the root certificate in the truststore.

 keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit  -alias aliasName -file path/to/certificate.cer

The SSL server during handshake should provide the certificate and the intermediates. The TrustManager of your client will validate the certification chain until root is found

Note: It is recommended to use your own truststore instead of modifying cacerts

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download