Hi, If I may toot my horn....
If you use "not-yet-commons-ssl.jar" from http://juliusdavies.ca/commons-ssl/ you can skip step #1. It will convert to java keystore directly from the OpenSSL files. It password protects the keystore with the same password as the private key. Assumptions for example below: 1. password to decrypt private key is = "changeit" and private key is in "example.key" 2. server-chain (can be single self-signed cert) is in "server.crt". ------------------- $ java -cp not-yet-commons-ssl-0.3.9.jar org.apache.commons.ssl.KeyStoreBuilder changeit example.key server.crt Successfuly wrote: [demo_certificate.jks] It extracts the CN and uses that to name the "jks" file. If we then analyze the results using the "org.apache.commons.ssl.KeyMaterial" utility, we can see that "CN=demo_certificate," among other interesting facts. $ java -cp not-yet-commons-ssl-0.3.9.jar org.apache.commons.ssl.KeyMaterial changeit demo_certificate.jks Alias: demo_certificate demo_certificate Valid: 2006/Nov/05 - 2007/Nov/05 s: [EMAIL PROTECTED], CN=demo_certificate, OU=commons_ssl, O=www.cucbc.com, L=Vancouver, ST=BC, C=CA i: [EMAIL PROTECTED], CN=demo_intermediate_ca, OU=commons_ssl, O=www.cucbc.com, L=Vancouver, ST=BC, C=CA yours, Julius On Jan 17, 2008 2:25 PM, Meurer, Jerry L. (EHQ) <[EMAIL PROTECTED]> wrote: > Got this working and thank you. Got some help from people smarter than > I, and here are the steps we took to create the keystore needed to make > this setup work. If anyone finds this thread and wants to know how it > was fixed, here are the steps we used: > > 1. Convert the certificate to a pkcs12 format using openssl: > > openssl pkcs12 -export -in example.crt -inkey example.key -out > keystore.pkcs12 > > 2. Make sure that you have the JAVA Development Kit installed on the box > > java -version > > 3. Download the Jetty tool from the following web site: > > http://jetty.mortbay.org/ > > 3a. Unzip it to your working folder. > > 3b. Run the following command to convert the pkcs12 file to a JKS > format: > > java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar > org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks > Enter input keystore passphrase: CantGuess > Enter output keystore passphrase: CantGuess > Alias 0: 1 > Adding key for alias 1 > > 4. Validate that you can read the jks file: > > keytool -list -v -keystore keystore.jks > > Done. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson > Sent: Friday, January 11, 2008 4:13 PM > To: openssl-users@openssl.org > Subject: Re: Create a p12 file with a Verisign Certificate and an > Verisign Intermediate Certificate > > On Fri, Jan 11, 2008, Meurer, Jerry L. (STL) wrote: > > > I'm getting an error attempting to create a p12 file using OpenSSL. I > > > can't seem to find anything that will lead me to a resolution. The > > error I'm getting is: > > "unable to get local issuer certificate getting chain" > > > > My setup is on a Windows server using Tomcat, with Apache. Apache > > listening on 80, and redirects to 8080 where the application lives. > > > > What I did [hope this is not too detailed]: > > - 2 years ago we purchased and downloaded an SSL cert from Verisign > > and named it server.crt, > > - Downloaded the Intermediate cert (chain). > > - Created an additional single file with the Intermediate cert, then > > the SSL cert below that text (concatenated the files with the > > intermediate on top), saved it as separate file called cachain.crt. > > - Ran the command: > > openssl pkcs12 -export -in server.crt -inkey server.key -out > > server.p12 -name tomcat -Cafile cachain.crt -caname root -chain > > - This gave me the server.p12 file that is being used right now. This > > > expires in 12 days :( > > > > Now: > > - I gave our midrange team (who have the account with Verisign) a copy > > > of the server.key file from my web server (from last year), they > > created a cert.csr file, sent it to Verisign > > - Sent me back a zip file that contained a cert.arm file (not familiar > > > with an ARM file, but the text within is the certificate) cert.csr, > > and the server.key file > > - I downloaded a new Intermediate CA (Managed PKI Standard SSL > > Intermediate CA.txt) and created a file called cachain.crt > > (concatenated the files with the intermediate on top and the > certificate below). > > > > Issue: > > - I've been attempting to create a server.p12 file using my notes from > > > last year. Installed OpenSSL under c:\openssl > > > > -Copied all of the files to c:\openssl\bin > > > > Issue the command: > > C:\OpenSSL\bin>openssl pkcs12 -export -in cert.crt -inkey server.key > > -o ut server.p12 -name tomcat -CAfile cachain2.crt -caname root -chain > > > Loading 'screen' into random state - done Error unable to get local > > issuer certificate getting chain. > > > > > > Viewed all of the files using Textpad to ensure Notepad didn't add any > > > funky characters, and also reproduced the same error on my second PC. > > > > A tip from another mail archive let me to run the following, and I'm > > not sure if the problem is here? > > > > Current "arm" file, and intermediate chain: > > openssl x509 -in cert.arm -issuer -noout issuer= /C=US/O=VeriSign, > > Inc./OU=VeriSign Trust Network/OU=Terms of use at http > > s://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA > > > > openssl x509 -in chain.crt -issuer -noout issuer= /C=US/O=VeriSign, > > Inc./OU=Class 3 Public Primary Certification Authority > > > > Here's what it shows on the production files that are working fine > > (but due to expire soon). > > Old crt file and chain (that is in production now) > > C:\OpenSSL\GnuWin32\bin>openssl x509 -in chain_old.crt -issuer -noout > > issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > > > Authority > > > > > > openssl x509 -in cert_old.crt -issuer -noout issuer= /O=VeriSign Trust > > > Network/OU=VeriSign, Inc./OU=VeriSign International Se rver CA - Class > > > 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY > > LTD.(c)97 Ver > > iSign > > > > There is also the possibility that there is something wrong with the > > cert, but I just don't know. My midrange friends are on vacation for > > a while, so I'm on my own. Please help if you can. > > Thank you. > > > > > > I suspect there were two certificates in the chain before and now there > are three or the previous intermediate file included all CA certificates > and now only includes the intermediate and not the root. > > See how many certificate are in the two chain.crt files? > > Then do: > > openssl x509 -subject -issuer -in chain.crt > > on each. The solution I suspect is to append the root CA file to the > chain.crt file. This is probably the file certs/vsign3.pem in the > OpenSSL distribution. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL > project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > > > > > ******* Confidentiality Notice ******* > This email, its electronic document attachments, and the contents of its > website linkages may contain confidential health information. This > information is intended solely for use by the individual or entity to whom it > is addressed. If you have received this information in error, please notify > the sender immediately and arrange for the prompt destruction of the material > and any accompanying attachments. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
