Got this working and thank you. Got some help from people smarter than I, and here are the steps we took to create the keystore needed to make this setup work. If anyone finds this thread and wants to know how it was fixed, here are the steps we used:
1. Convert the certificate to a pkcs12 format using openssl: openssl pkcs12 -export -in example.crt -inkey example.key -out keystore.pkcs12 2. Make sure that you have the JAVA Development Kit installed on the box java -version 3. Download the Jetty tool from the following web site: http://jetty.mortbay.org/ 3a. Unzip it to your working folder. 3b. Run the following command to convert the pkcs12 file to a JKS format: java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks Enter input keystore passphrase: CantGuess Enter output keystore passphrase: CantGuess Alias 0: 1 Adding key for alias 1 4. Validate that you can read the jks file: keytool -list -v -keystore keystore.jks Done. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Friday, January 11, 2008 4:13 PM To: openssl-users@openssl.org Subject: Re: Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate On Fri, Jan 11, 2008, Meurer, Jerry L. (STL) wrote: > I'm getting an error attempting to create a p12 file using OpenSSL. I > can't seem to find anything that will lead me to a resolution. The > error I'm getting is: > "unable to get local issuer certificate getting chain" > > My setup is on a Windows server using Tomcat, with Apache. Apache > listening on 80, and redirects to 8080 where the application lives. > > What I did [hope this is not too detailed]: > - 2 years ago we purchased and downloaded an SSL cert from Verisign > and named it server.crt, > - Downloaded the Intermediate cert (chain). > - Created an additional single file with the Intermediate cert, then > the SSL cert below that text (concatenated the files with the > intermediate on top), saved it as separate file called cachain.crt. > - Ran the command: > openssl pkcs12 -export -in server.crt -inkey server.key -out > server.p12 -name tomcat -Cafile cachain.crt -caname root -chain > - This gave me the server.p12 file that is being used right now. This > expires in 12 days :( > > Now: > - I gave our midrange team (who have the account with Verisign) a copy > of the server.key file from my web server (from last year), they > created a cert.csr file, sent it to Verisign > - Sent me back a zip file that contained a cert.arm file (not familiar > with an ARM file, but the text within is the certificate) cert.csr, > and the server.key file > - I downloaded a new Intermediate CA (Managed PKI Standard SSL > Intermediate CA.txt) and created a file called cachain.crt > (concatenated the files with the intermediate on top and the certificate below). > > Issue: > - I've been attempting to create a server.p12 file using my notes from > last year. Installed OpenSSL under c:\openssl > > -Copied all of the files to c:\openssl\bin > > Issue the command: > C:\OpenSSL\bin>openssl pkcs12 -export -in cert.crt -inkey server.key > -o ut server.p12 -name tomcat -CAfile cachain2.crt -caname root -chain > Loading 'screen' into random state - done Error unable to get local > issuer certificate getting chain. > > > Viewed all of the files using Textpad to ensure Notepad didn't add any > funky characters, and also reproduced the same error on my second PC. > > A tip from another mail archive let me to run the following, and I'm > not sure if the problem is here? > > Current "arm" file, and intermediate chain: > openssl x509 -in cert.arm -issuer -noout issuer= /C=US/O=VeriSign, > Inc./OU=VeriSign Trust Network/OU=Terms of use at http > s://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA > > openssl x509 -in chain.crt -issuer -noout issuer= /C=US/O=VeriSign, > Inc./OU=Class 3 Public Primary Certification Authority > > Here's what it shows on the production files that are working fine > (but due to expire soon). > Old crt file and chain (that is in production now) > C:\OpenSSL\GnuWin32\bin>openssl x509 -in chain_old.crt -issuer -noout > issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > > > openssl x509 -in cert_old.crt -issuer -noout issuer= /O=VeriSign Trust > Network/OU=VeriSign, Inc./OU=VeriSign International Se rver CA - Class > 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY > LTD.(c)97 Ver > iSign > > There is also the possibility that there is something wrong with the > cert, but I just don't know. My midrange friends are on vacation for > a while, so I'm on my own. Please help if you can. > Thank you. > > I suspect there were two certificates in the chain before and now there are three or the previous intermediate file included all CA certificates and now only includes the intermediate and not the root. See how many certificate are in the two chain.crt files? Then do: openssl x509 -subject -issuer -in chain.crt on each. The solution I suspect is to append the root CA file to the chain.crt file. This is probably the file certs/vsign3.pem in the OpenSSL distribution. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ******* Confidentiality Notice ******* This email, its electronic document attachments, and the contents of its website linkages may contain confidential health information. This information is intended solely for use by the individual or entity to whom it is addressed. If you have received this information in error, please notify the sender immediately and arrange for the prompt destruction of the material and any accompanying attachments. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
