Error Unable To Get Issuer Certificate Getting Chain Openssl
Contents |
the customer the flexibility to re-use this certificate on a different webserver if needed. This meant I used openssl to generate the certificate error unable to get local issuer certificate getting chain openssl and then created a pkcs12 keystore. Create the private key and certificate request
Openssl Unable To Get Local Issuer Certificate Windows
Create the certificate key openssl genrsa -des3 -out customercert.key 2048 Remove the passphrase from the key openssl rsa -in customercert.key unable to get local issuer certificate openssl s_client -out customercert.key.new mv customercert.key.new customercert.key Create the Certificate request openssl req -new -key customercert.key -out customercert.csr Create the Keystore file for use with tomcat and keytool I had some trouble getting this to
Openssl Verify Unable To Get Local Issuer Certificate
work. This is a very simple procedure when working with certs signed by GoDaddy, but certs from Verisign needed some extra hand-holding. There is some information on how to do this is found at http://conshell.net/wiki/index.php/OpenSSL_to_Keytool_Conversion_tips. I did not follow the instructions on this site. I ended up creating a keystore in the pkcs12 format instead of the default jks format. This site above does have error unable to get issuer certificate getting chain pkcs12 instructions for converting a pkcs12 keystore to a jks format, if you require. The signed certificate was downloaded to clients.adaptivetcr.com.cer. The Secure Site with EV Root bundle was downloaded to intermediate.crt. When I first attempted to create the keystore file, I received the error below openssl pkcs12 -export -chain -CAfile intermediate.crt -in customercert.cer \ -inkey customercert.key -out customercert.keystore -name tomcat -passout pass:changeit\ Error unable to get issuer certificate getting chain. Now the interesting thing about this error is that if you attempt a openssl verify using both cert file and intermediate.crt, it does not complain and gives the “OK” message. After a bit of testing, I found that you need to make a new CAfile to be used, that combines the cacerts file from the openssl distribution and the intermediate.crt file. cat intermediate.crt /etc/ssl/certs/ca-certificates.crt > allcacerts.crt openssl pkcs12 -export -chain -CAfile allcacerts.crt -in customercert.cer \ -inkey customercert.key -out customercert.keystore -name tomcat -passout \ pass:changeit This successfully created the keystore file. You can look at the contents of the keystore by running keytool -list -keystore customercert.keystore -storetype pkcs12 -v ..... Comments or questions? Send me a message on Twitter See other posts about tomcat ssl &
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more
Openssl Unable To Get Issuer Certificate Getting Chain
about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users
Openssl Pkcs12 Chain
Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping openssl create keystore each other. Join them; it only takes a minute: Sign up Unable to get local issuer certificate while processing chain up vote 1 down vote favorite I do have private key(my_ca.key) and public key(my_cert.crt) which is signed by DigiCert. http://www.fourproc.com/2010/06/23/create-a-ssl-keystore-for-a-tomcat-server-using-openssl-.html Now I want to create RA(Registration Authority) and sign it by my private key . Here is the way I tried to do that. But when I try to export private and public key as pkcs12 file I have been getting error like this unable to get local issuer certificate getting chain. No idea how to solve this. Here my_cert.crt is extended from DigiCert High Assurance CA-3 and that one extended from DigiCert High Assurance EV Root http://stackoverflow.com/questions/28870572/unable-to-get-local-issuer-certificate-while-processing-chain CA SSL_SUBJ="/C=LK/ST=Colombo/L=Colombo/O=Nope/OU=mobile/CN=My root" openssl genrsa -out ra.key 4096 openssl req -new -key ra.key -out ra.csr -subj "$SSL_SUBJ" openssl x509 -req -days 365 -in ra.csr -CA my_cert.pem -CAkey my_ca.pem - set_serial 76964474 -out ra.crt openssl rsa -in ra.key -text > ra_private.pem openssl x509 -in ra.crt -out ra_cert.pem openssl pkcs12 -export -out ca.p12 -inkey my_ca.pem -in my_cert.pem -name "cacert" -passout pass:password openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem - chain -CAfile my_cert.pem -name "racert" -passout pass:password ssl openssl x509 pki pkcs#12 share|improve this question edited Mar 5 '15 at 20:50 jww 35.4k21112224 asked Mar 5 '15 at 5:20 GPrathap 95811524 add a comment| 1 Answer 1 active oldest votes up vote 2 down vote accepted You usually can't use a certificate issued by a public CA to sign anything but client or server traffic; you won't be able to use it for your RA. The error message indicates that there is a problem with the intermediate certificates. Make sure that you add both of Digicert's certificates to the my_cert.pem file before exporting it to pkcs12 share|improve this answer answered Mar 5 '15 at 5:45 Kevin Keane 770111 You mean cat DigiCert.crt my_cert.crt > my_cert.crt and than without -chain keyword It works But without -chain flag is that correct ? –GPrathap Mar 5 '15 at 6:10 Well, if you try this particular cat command, you'll destr
♦ Locked 4 messages Meurer, Jerry L. (EHQ) Reply | Threaded Open this post in threaded view ♦ ♦ | Report Content as Inappropriate http://openssl.6102.n7.nabble.com/Create-a-p12-file-with-a-Verisign-Certificate-and-an-Verisign-Intermediate-Certificate-td15113.html ♦ ♦ Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate I'm getting an error attempting to create a p12 file using OpenSSL. I can't seem to find anything that will lead me to a resolution. The error I'm getting is: "unable to get unable to local issuer certificate getting chain" My setup is on a Windows server using Tomcat, with Apache. Apache listening on 80, and redirects to 8080 where the application lives. What I did [hope this is not too detailed]: - 2 years ago we purchased and downloaded an SSL cert from Verisign and named it server.crt, - Downloaded the Intermediate cert (chain). - Created unable to get an additional single file with the Intermediate cert, then the SSL cert below that text (concatenated the files with the intermediate on top), saved it as separate file called cachain.crt. - Ran the command: openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name tomcat -Cafile cachain.crt -caname root -chain - This gave me the server.p12 file that is being used right now. This expires in 12 days :( Now: - I gave our midrange team (who have the account with Verisign) a copy of the server.key file from my web server (from last year), they created a cert.csr file, sent it to Verisign - Sent me back a zip file that contained a cert.arm file (not familiar with an ARM file, but the text within is the certificate) cert.csr, and the server.key file - I downloaded a new Intermediate CA (Managed PKI Standard SSL Intermediate CA.txt) and created a file called cachain.crt (concatenated the files with the intermediate on top and the certificate below). Issue: - I've been attempting to create a server.p12 file using my notes from last year. Install