search

scop / portecle

User friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more
http://portecle.sourceforge.net/
GNU General Public License v2.0
154 stars 47 forks source link

allow to import certificate chains #5

Open scop opened 18 years ago

scop commented 18 years ago

e.g. if an intermediary certificate is not the trust-store of a browser, tomcat may not just serve the leaf but must serve the entire chain.

for this to happen, it looks as if Ralf Hauser@Acer_Ralf:/<3>RALFHA~1/Desktop> $JAVA_HOME/bin/keytool -list -keystore www.ks -v Enter keystore password: importkey

Keystore type: jks Keystore provider: SUN

Your keystore contains 1 entry

Alias name: importkey Creation date: Nov 16, 2006 Entry type: keyEntry Certificate chain length: 3 Certificate[1]: Owner: CN=www.privasphere.com, OU=Secure Messaging, O=PrivaSphere AG, L=Zuerich, ST=ZH, C=CH Issuer: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH Serial number: 21e3 Valid from: Wed Oct 25 11:35:12 CEST 2006 until: Sat Oct 25 11:35:12 CEST 2008 Certificate fingerprints: MD5: 30:10:0A:E5:91:35:47:36:AB:A2:45:08:55:19:4A:5F SHA1: 7B:4B:19:30:B6:FB:E2:71:D5:2E:42:DF:FA:43:2D:9C:FD:03:CD:98 Certificate[2]: Owner: CN=QV Schweiz ICA, OU=Issuing Certificate Authority, O=QuoVadis Trustlink Schweiz AG, C=CH Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM Serial number: 421fcec0 Valid from: Wed Mar 15 22:06:52 CET 2006 until: Tue Mar 15 22:06:52 CET 2016 Certificate fingerprints: MD5: C5:59:4C:76:54:6C:A5:EA:2C:31:6F:61:D0:7C:12:39 SHA1: 67:EC:CD:0A:90:2E:86:8D:70:00:87:2E:A1:FD:79:C1:6B:CF:1F:AB Certificate[3]: Owner: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM Serial number: 3ab6508b Valid from: Mon Mar 19 19:33:33 CET 2001 until: Wed Mar 17 19:33:33 CET 2021 Certificate fingerprints: MD5: 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24 SHA1: DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9

is needed.

At least with root certificates that are not part of jre/lib/security/cacerts, it is tricky insert a chain under one alias.

It is with the windows cermgr possible to export a certificate chain into a p7b file, but the same error as attached appears and with the keytool command-line tool, you get keytool error: java.lang.Exception: Input not an X.509 certificate

Reported by: ralfhauser

scop commented 18 years ago

chainImportFails.png error message

Original comment by: ralfhauser chainimportfails

scop commented 18 years ago

Logged In: YES user_id=266141 Originator: YES

a work-around is in http://www.agentbob.info/agentbob/79.html

Original comment by: ralfhauser