: SSL Certificate Works in Monit - But Not in Keystore I have a situation where there's a keystore file with the various root/intermediate certificates stored in it in a way that it seems to
I have a situation where there's a keystore file with the various root/intermediate certificates stored in it in a way that it seems to work for most browsers.
Problem is that when mobile browsers hit it, there's a break in the chain and they complain.
I used an SSL checker at www.sslshopper.com/ssl-checker.html and it states that "The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate." So...the desktop browsers must have the intermediate certs already and can make the chain connections, I'm assuming, while the mobile browsers can't.
The thing is that I had used Portecle to export certificates from the keystore and cobble them together to create a .PEM certificate to run the Monit utility. When I check that application with the SSL checker, it works fine!
The person that originally created the keystore said he couldn't follow the SSL provider's directions for creating the keystore because he created the CSR request using openssl, so the cert and private key had to be converted to DER format and use importkey to get it to work; following the directions he found online had importkey seem to use only a set keystore file as a result, and it would erase anything already in the file if it existed.
So is there a way to take the certificate I created for Monit and create a working keystore for the Tomcat website?
What would be causing the chain to be broken in the current keystore, but work for Monit?
I have the SSL cert provider's intermediate and cross certificates, and the website's certificate, but is what else would I need to create a working chain of certs for a keystore?
More posts by @Gretchen104
1 Comments
Sorted by latest first Latest Oldest Best
I'm not sure how it works with Monit, but I'll assume what you've done is creating a concatenation of PEM structures to build your certificate chain, like so:
-----BEGIN CERTIFICATE-----
MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVSzEa
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICkjCCAfugAwIBAgIJAKm5bDEMxZd7MA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV
....
-----END CERTIFICATE-----
You can use keytool to re-import the whole chain against your alias (rather than just the certificate), which should help the server send the correct chain:
keytool -importcert -keystore store.jks -alias myalias -file bundle.pem
(There are more details in this answer: the question was about client certificates from the client side, but the same commands will apply for your server cert from the server side.)
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.