Assuming this is tomcat with JSSE since tomcat with APR would use the PEM files:
- you don't actually need the (own) root cert for JSSE server including tomcat. A server "MAY" omit the root, if it sends any other chain certs, and tomcat can. - if you specify -chain to pkcs12 -export, that does require full chain through root. Some people consider it better practice to send the root, even though not required. Did this cert come from a public CA, a private one, or self-created with openssl? If filename "myCA.crt" means "CA I created" not "CA I used", it's the last. Pretty much all public CAs nowadays use at least one chain cert, sometimes more. Private may not, and self-created usually doesn't (because it's more work). If your cert needs chain cert(s) and you don't have them, get them from the CA. What kind of cert (or certs) exactly is in myCA.crt? If it isn't labelled and you don't know, post it so we can look, but not if it also contains a privatekey - which a file named "crt" should not, but people make mistakes.) Was your error "Error unable to get local issuer certificate getting chain" ? You can get chain and root certs into pkcs12 -export three ways: - concatenate them to the input file (-in or stdin) after the EE cert - specify them with -certfile (concatenate if more than one) - have them in the truststore specified by -CAfile and/or -CApath or defaulted and specify -chain. The default truststore location varies; openssl version -d will say where it is for your build, but it's easy(er?) to just specify the location(s) you want. The first two ways work for a partial chain, the third must be complete. Using -CApath in particular is more complicated and you don't need to, so stick with the simpler ways. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Davidson, Brian C. Sent: Monday, November 25, 2013 12:58 To: openssl-users@openssl.org Subject: Problems converting to .p12 from Apache format I am trying to help a client convert his SSL certificate to a .p12 format so it can be installed in a Java keystore on a server running Apache. Based on the various error messages I am getting, I think that the root certificate needs to be a part of the conversion command (sample shown below): http://tomcat.apache.org/tomcat-6.0-doc/images/void.gif openssl pkcs12 -export -in mycert.crt -inkey mykey.key \ -out mycert.p12 -name tomcat -CAfile myCA.crt \ -caname root -chain If I am right, I need to get a copy of the root certificate and put it in the proper directory for OpenSSL to access. My problem is I am running Cygwin on a Windows machine and I have no idea where the root certificate should be stored. I tried changing the directory in my script to be where the other pieces are located (via my Desktop) but OpenSSL didn't like the directory change. I am very green on this process in particular, so any help would be greatly appreciated. Thanks.
<<image001.gif>>
