openssl - Adding an intermediate certificates to a pkcs12 file -


i have certificate has following chain of certification: entrust->my ca->my issuing ca->my jboss certificate. now, if install certificate on jboss instance, page access running on instance appear untrusted issuing ca not recognized browser. know computer has public key entrust signing authority. how can install certificate browser can see entire certificate chain?

i made single .pem file of of certificates thinking work. did not. can explain doing wrong or if possible?

adding intermediate certificates pkcs12 file ...

here's how on web , mail servers.

first, www-example-com.crt web server cert signed startcom. startcom offers free class 1 certificates trusted browsers , mobile devices, use them. certificate in pem format (----- begin cert ----- , ----- end cert -----).

second, open www-example-com.crt , append startcom's class 1 intermediate. intermediate startcom's index of /certs. www-example-com.crt has 2 pem encoded encoded certs in it.

third, perform following create pkcs12/pfx file use in iis.

openssl pkcs12 -export -in www-example-com.crt -inkey www.example.key -out www-example-com.p12

in case, www-example-com.crt have @ least 3 pem encoded certificates in it:

----- begin cert ----- < jboss certificate > ----- end cert -----  ----- begin cert ----- < issuing ca > ----- end cert -----  ----- begin cert ----- < ca > ----- end cert -----

the third cert in chain - my ca - optional. don't need if clients use my ca trust anchor. if you're clients use entrust trust anchor, need include it.

if cat www-example-com.crt , not have multiple certificates, not continue. don't perform openssl pkcs12 until server cert has required intermediate certificates required verify chain.

do not include entrust ca certificate.

i doubt entrust signs ca directly. use intermediate, too. cert chain should like:

----- begin cert ----- < jboss certificate > ----- end cert -----  ----- begin cert ----- < issuing ca > ----- end cert -----  ----- begin cert ----- < ca > ----- end cert -----  ----- begin cert ----- < entrust intermediate > ----- end cert -----

entrusts provides ca , intermediate certificates @ entrust root certificates. can't tell 1 need because won't provide url or show chain have. i'm guessing going 1 or more of:

  • entrust l1e chain certificate
  • entrust l1c chain certificate
  • entrust l1e chain certificate (sha2)
  • entrust l1c chain certificate (sha2)

you can test chain openssl's `s_client. time, use entrust's certifcate:

echo -e "get / http/1.0\r\n" | openssl s_client -connect myserver:8443 \                                        -cafile entrust-ca.pem

you can entrust-ca.pem entrust root certificates. run , tell errors get. or better, post url server can see what's going on.


Comments

Post a Comment

Popular posts from this blog

android - Get AccessToken using signpost OAuth without opening a browser (Two legged Oauth) -

i using signpost oauth access data magento server. have read various tutorials on same , reach point open browser user can enter credentials. however, per requirement have automate part. hence, user should not browser page. have set-up done on server side ( magento ), hit url , returned call page. same through program in android. i have tried below, consumer = new commonshttpoauthconsumer(key, secret); provider = new commonshttpoauthprovider(oauth_init_url,access_token_url, authorize_url); try { provider.retrieverequesttoken(consumer, oauth.out_of_band); log.d("tokens" , consumer.gettoken() + " -- " + consumer.gettokensecret()); } and request tokens. dont know how bypass next step. tried directly accessing accesstoken (stupid of me) provider.retrieveaccesstoken(consumer, "mycallback://callback"); no luck, ends in oauth.signpost.exception.oauthnotauthorizedexception: authorization failed (server replied 401). ...
Read more

org.mockito.exceptions.misusing.InvalidUseOfMatchersException: mockito -

getting error org.mockito.exceptions.misusing.invaliduseofmatchersexception: invalid use of argument matchers! 1 matchers expected, 2 recorded. exception may occur if matchers combined raw values: //incorrect: somemethod(anyobject(), "raw string"); when using matchers, arguments have provided matchers. example: //correct: somemethod(anyobject(), eq("string matcher")); at when( getprogramservice .callservice(any(getprogramtype.class))) .thenreturn(jaxbresponse); please explain error , possible resolution the code posted looks fine; don't see problem it. code before or above causing exception. key here: invalid use of argument matchers! 1 matchers expected, 2 recorded. any , used above, doesn't return "special kind of null" or "special kind of getprogramtype"; don't exist. instead, returns null , side effect puts matcher on stack. whe...
Read more

google shop client API returns 400 bad request error while adding an item -

i'm working on solution add items in google shopping market java application. following tutorial real mess because of missing classes of laste release, after setting 1.5-beta maven managed make base example typecheck correctly classes. still can make simple task of adding 1 item. instead of posting whole code i'm posting part creates product feed. private product createproduct(string id) { product product = new product(); product.title = "red wool sweater"; product.content = new content( "text", "comfortable , soft, sweater keep warm on " + "cold winter nights. red , blue stripes."); product.appcontrol = new appcontrol(); product.appcontrol.addrequireddestination("productads"); product.externalid = id; product.lang = "it"; product.country = "it"; product.condition = "nuovo"; product.price = new price("eu...
Read more