0

I'm trying to set-up a Thawte 123SSL certificate on my server but i've lost the original keystore used to generate the CSR. However I have the .p12 file with the private key and the .crt, so I created a new keystore using the sentence:

keytool -importkeystore -srckeystore file.p12 -srcstoretype pkcs12 -destkeystore /path/to/keystore.jks

After that, I added the intermediate CA certificates as:

keytool -import -alias Primary -trustcacerts -file SSL123_PrimaryCA.pem -keystore keystore.jks

keytool -import -alias Secondary -trustcacerts -file SSL123_SecondaryCA.pem -keystore keystore.jks

Then I added a Connector port to my server.xml

I think that's all, but when I check the status with Thawte Certificate Checker https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO9555 failed due to Invalid Chain:

Please install or replace the following intermediate CA certificates on your Web or Application server and perform this test again.

So.. what exactly am I doing wrong? How can I fix that?

Thanks for any advice!

4

2 回答 2

1

以其他别名导入中间证书不会有任何效果,您需要将整个链一次性导入私钥所在的别名中,如this answer中所述。

于 2013-07-30T00:03:04.003 回答
0

使用密钥库有点棘手。

当您通过执行“keytool -list -v -keystore [keystorename]”查看您的密钥库并看到多个证书链接时,您安装的中间件很可能是好的。Thawte 检查器稍有过时,预计证书链可能与现代标准不同。

根据 keytool 的版本,它可能不喜欢这些文件的 .pem 扩展名

keytool -import -trustcacerts -alias secondaryIntermediate -keystore your_keystore_filename -file secondary_inter.cer

keytool -import -trustcacerts -alias primaryIntermediate -keystore your_keystore_filename -file primary_inter.cer

如果您经常使用密钥库,那么有一个名为 portecle http://portecle.sourceforge.net/的 GUI 工具可以免费在线下载,您可以使用它。这使得修复和使用密钥库变得更加容易。

于 2013-07-29T21:20:18.500 回答