Correct way to import root and intermediate certifiacts in Java cacerts

问题

My company has its own ROOT certificate. Using this certificate they signed intermediate certificate.

Then we issued CSR for server certificate and signed it with intermediate certificate.

What is a correct way to import the ROOT certificate and intermediate in Java cacerts file, in order to be able to establish SSL connection with the server which has server certificate signed by the intermediate?

I used OpenSSL to test certificate chain on the server:

openssl s_client -showcerts -connect host:443

CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
   i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA

回答1:

You only need to import the root certificate in the truststore.

 keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit  -alias aliasName -file path/to/certificate.cer

The SSL server during handshake should provide the certificate and the intermediates. The TrustManager of your client will validate the certification chain until root is found

Note: It is recommended to use your own truststore instead of modifying cacerts

来源：https://stackoverflow.com/questions/42027922/correct-way-to-import-root-and-intermediate-certifiacts-in-java-cacerts