问题
I am doing the jetty SSL configuration.
I have created CSR using keytool which has added a private key to the keystore,
Received the certificate based on the CSR, converted the certificate to DER format and imported the certificate into the keystore as trustcacerts
The signed certificate has the root/intermediate certificates in the certificate path
I also installed the root and intermediate certificate in the IE under the trusted root certificate after converting it into DER format.
while using https , the browser shows certificate error and considers the certificate as self signed certificate.
Question
Does this mean the the installed signed certificate is not considered since the certificate does not have the Root/intermediate certificate in the certificate path?
Though the signed certificate received from the CA have the link to the root/intermediate certificate in the certificate path.
Please suggest if anything is wrong in the process . Adding the keytool commands followed for this.
Created keystore
keytool -keystore serverdns.keystore -alias server -genkey -keyalg RSA -keysize 2048
create CSR
keytool -certreq -alias server -keystore serverdns.keystore -file server.csr
installing signed certificate
keytool -import -trustcacerts -alias cert -keystore serverdns.keystore -file signedcert.der.cer
I have tried using the same alias 'server' while installing the signed certificate but it failed with the error
keytool error: java.lang.Exception: Failed to establish chain from reply
回答1:
You need to import the signed certificate using the same alias as the private key and the CSR. Otherwise there is no connection between them, and the new certificate is just another certificate. You should not use -trustcacerts for this step, and if you are asked whether to trust the certificate you've got the alias wrong.
回答2:
keytool error: java.lang.Exception: Failed to establish chain from reply
Take a look at the option -trustcacerts, if your CA is in the truststore. Also you should have to add the CA's intermediate certificates to your keystore, before than signedcert.der.cer
来源:https://stackoverflow.com/questions/23238337/link-between-private-key-and-signed-certificate-in-keystore