Java Forum

Ask Question   UnAnswered
Home » Forum » Java       RSS Feeds

How to create a chain keystore from a CA tree (4 levels) ?

  Asked By: Daryl    Date: Jul 14    Category: Java    Views: 1757

we need to create a key store from the following certificate tree :

Globalsign Root CA
..|_GlobalSign Primary Secure Server CA
....|_GlobalSign Secure Server CA

when I use a .cer exported from Internet Explorer, I get 3 file that
I nammed :

then I use keyStore whith the following command line to try to chain
those certs into a single keystore nammed MyCustomer :
<batch command line>
keytool -import -trustcacerts -alias GLOBALSIGN1 -file
globalsign1.cer -keypass aBcDeF -keystore MyCustomer
keytool -import -trustcacerts -alias GLOBALSIGN2 -file
globalsign2.cer -keypass aBcDeF -keystore MyCustomer
keytool -import -trustcacerts -alias GLOBALSIGN3 -file
globalsign3.cer -keypass aBcDeF -keystore MyCustomer
keytool -import -trustcacerts -alias MyCustomer -file
MyCustomerCompany.cer -keypass aBcDeF -keystore MyCustomer
</batch command line>

then I try to use this keystore in a java program (jdk 1.3.1) and all
work fine until I get the following error :
javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-
at com.sun.net.ssl.internal.ssl.Handshaker.process_record
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-
at com.sun.net.ssl.internal.ssl.AppOutputStream.write
at java.io.OutputStream.write(Unknown Source)
at sun.net.www.https.HttpsClient.doConnect
at sun.net.NetworkClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.net.www.https.HttpsClient.<init>(HttpsClient.java:230)
at sun.net.www.https.HttpsClient.New(HttpsClient.java:243)
at sun.net.www.protocol.https.HttpsURLConnection.connect
at sun.net.www.protocol.http.HttpURLConnection.getInputStream
(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at MyClassUrlSender.testConnection(MyClassUrlSender.java:346)
at MyClassOrdrspSender.start(MyClassOrdrspSender.java:156)
at MyClassOrdrspSender.main(MyClassOrdrspSender.java:85)



1 Answer Found

Answer #1    Answered By: Cheri Garcia     Answered On: Jul 14

For those interested in the answer (took me over night to find :-
)... ) :

let's say you have the following tree  :

Globalsign Root CA
..|_GlobalSign Primary Secure Server CA
....|_GlobalSign Secure Server CA

then you must import all Globalsign* into cacerts and
MyCustumerCompany into a keystore

then in your code, you just specify the keystore for the SSL
implementation since Java will automatically validate higher level
from the cacerts file  (wich you can find in "%jre_home%
\lib\security\" folder)

Didn't find what you were looking for? Find more on How to create a chain keystore from a CA tree (4 levels) ? Or get search suggestion and latest updates.