1

I have the exact problem reported in

Jarsigner: certificate chain not found for

My starting point was a .pem file. My sense is that this does have the private key also. I used the following command to import this into a keystore:

keytool -importcert -alias myalias -file myfile.pem

For "Trust this certificate? [no]", if I choose "no" the import fails. So, I went with "yes". The import does succeed. My

keytool -list

produces output similar to the one listed in Jarsigner: certificate chain not found for.

My sense is that I do have the right certificate bit am not importing this correctly. In other words, I am suspecting that a 'trusted certificate entry' is being created instead of a 'key entry' but don't know how to force keytool to create a 'key entry'.

How can I solve this problem?

Additional Info:

After further work, I am leaning towards exactly the opposite conclusion than the one above. I now think that something is wrong with my pem file. I looked at a previous keystore entry with an expired key. It clearly states PrivateKeyEntry while my import states trustedCertEntry.

Community
  • 1
  • 1
V Chandrasekhar
  • 11
  • 1
  • 1
  • 4

1 Answers1

1

You can try to create a pkcs12 from your files that would contain the entire certificate chain. You'll need your public cert and the root CA cert. Command is like this:

openssl pkcs12 -export -inkey file.pem -in file.crt -out file.p12 \
-CAfile root-CA.pem -chain -name mykey

Once you have the entire file.p12 file, you can export the full cert to pem format:

openssl pkcs12 -in file.p12 -out new-cert.pem -nodes -clcerts

Or if you want to export to a Java keystore format that has the entire chain, the command is:

keytool -importkeystore -srcstoretype pkcs12 -srckeystore file.p12 \
-srcstorepass <password> -keystore keystore.jks
n2studio
  • 306
  • 2
  • 4