3

My company has its own ROOT certificate. Using this certificate they signed intermediate certificate.

Then we issued CSR for server certificate and signed it with intermediate certificate.

What is a correct way to import the ROOT certificate and intermediate in Java cacerts file, in order to be able to establish SSL connection with the server which has server certificate signed by the intermediate?

I used OpenSSL to test certificate chain on the server:

openssl s_client -showcerts -connect host:443

CONNECTED(00000003)
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = COUNTRYCODE, ST = myCountry, O = myOrganization, CN = myServer, emailAddress = myMail
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
   i:/CN=INTERMEDIATECERT
-----BEGIN CERTIFICATE-----
MIIFr...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=COUNTRYCODE/ST=myCountry/O=myOrganization/CN=myServer/emailAddress=myMail
issuer=/CN=INTERMEDIATECERT
---
No client certificate CA names sent
---
SSL handshake has read 1601 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
GregD
  • 2,797
  • 3
  • 28
  • 39
dplesa
  • 1,355
  • 6
  • 23
  • 56

1 Answers1

9

You only need to import the root certificate in the truststore. 

 keytool -import -trustcacerts -keystore path/to/cacerts -storepass changeit  -alias aliasName -file path/to/certificate.cer

The SSL server during handshake should provide the certificate and the intermediates. The TrustManager of your client will validate the certification chain until root is found

Note: It is recommended to use your own truststore instead of modifying cacerts

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Thank you. What I don't understand now is, why the Java 1.6 can build the certificate chain, but Java 1.7/1.8 can't. Furthermore, Java 1.6 can establish the SSL connection only if the intermediate certificate is imported in cacerts file. – dplesa Feb 07 '17 at 12:27
  • I have asked this question regarding different Java versions and SSL handshake failures here: http://stackoverflow.com/questions/42008228/sun-security-validator-validatorexception-pkix-path-building-failed-with-java – dplesa Feb 07 '17 at 12:42
  • _unable to find valid certification path to requested target_ means the TrustManager of the SSL connection has not found a trusted certificate in the configured truststore for the certificate sent by server. I think there has not been any fundamental change about trust validation between 1.6 and 1.7. The recommended way to set the truststore is that I have answered – pedrofb Feb 07 '17 at 13:03
  • I guess the linked question could be due to a misconfiguration in server side. Could you test your server with ssllabs.com to check if certification chain is properly configured. The server should provide the full certification chain. If the chain is incomplete it might have some small validation difference between versions. – pedrofb Feb 07 '17 at 13:04
  • Unfortunately, I cant test the server with ssllabs, but I have used openssl s_client -showcerts -connect. I added this additional info to the question. – dplesa Feb 07 '17 at 13:17
  • With the trace I can not tell if the certification chain is fine. If you are not sure, you can include the leaf certificate in the truststore instead of root certificate. Then the TrustManager will find it and won´t verify the chain – pedrofb Feb 07 '17 at 13:48
  • Yes, if I add the leaf (server) certificate to the chain, then the SSL connection can be established. – dplesa Feb 07 '17 at 13:52
  • Furthermore, if I try to establish the SSL connection with OpenSSL and provide a root certificate, I get the message `Verify return code: 21 (unable to verify the first certificate)`, so that should be misconfiguration on the server side, as you said. Thank you. – dplesa Feb 07 '17 at 14:16