Error Unable To Get Local Issuer Certificate Getting Chain Openssl
Contents |
the customer the flexibility to re-use this certificate on a different webserver if needed. This meant I used openssl to generate the certificate and then created a pkcs12 keystore. Create openssl unable to get local issuer certificate windows the private key and certificate request Create the certificate key openssl genrsa -des3 -out
Unable To Get Local Issuer Certificate Openssl S_client
customercert.key 2048 Remove the passphrase from the key openssl rsa -in customercert.key -out customercert.key.new mv customercert.key.new customercert.key Create the Certificate request
Openssl Verify Unable To Get Local Issuer Certificate
openssl req -new -key customercert.key -out customercert.csr Create the Keystore file for use with tomcat and keytool I had some trouble getting this to work. This is a very simple procedure when working with certs signed
Error Unable To Get Local Issuer Certificate Getting Chain. Pkcs12
by GoDaddy, but certs from Verisign needed some extra hand-holding. There is some information on how to do this is found at http://conshell.net/wiki/index.php/OpenSSL_to_Keytool_Conversion_tips. I did not follow the instructions on this site. I ended up creating a keystore in the pkcs12 format instead of the default jks format. This site above does have instructions for converting a pkcs12 keystore to a jks format, if you require. The signed certificate was downloaded to openssl unable to get issuer certificate getting chain clients.adaptivetcr.com.cer. The Secure Site with EV Root bundle was downloaded to intermediate.crt. When I first attempted to create the keystore file, I received the error below openssl pkcs12 -export -chain -CAfile intermediate.crt -in customercert.cer \ -inkey customercert.key -out customercert.keystore -name tomcat -passout pass:changeit\ Error unable to get issuer certificate getting chain. Now the interesting thing about this error is that if you attempt a openssl verify using both cert file and intermediate.crt, it does not complain and gives the “OK” message. After a bit of testing, I found that you need to make a new CAfile to be used, that combines the cacerts file from the openssl distribution and the intermediate.crt file. cat intermediate.crt /etc/ssl/certs/ca-certificates.crt > allcacerts.crt openssl pkcs12 -export -chain -CAfile allcacerts.crt -in customercert.cer \ -inkey customercert.key -out customercert.keystore -name tomcat -passout \ pass:changeit This successfully created the keystore file. You can look at the contents of the keystore by running keytool -list -keystore customercert.keystore -storetype pkcs12 -v ..... Comments or questions? Send me a message on Twitter See other posts about tomcat ssl ← Previous Entry Next Entry → ABOUT My name is Brian Connolly. I am an operations guy. Lately I have been getting more and more interested in big data, bioinfomatics and Docker. I am currently a systems en
Support: http://www.fourproc.com/2010/06/23/create-a-ssl-keystore-for-a-tomcat-server-using-openssl-.html Order Processing Email Form Technical Support Email Form Knowledge Center Search Tips Search About Us|Legal|Contact Us|Site Map|FreeSSL Certificates https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO17070 © RapidSSL. RapidSSL is a leading certificate authority, enabling secure socket layer (SSL) encryption trusted by over 99% of browsers and customers worldwide for web site security. We specialize in fast issuance of low cost and free SSL certificates and wildcard SSL certificates. RapidSSL Certificates, RapidSSL Wildcard Certificates and FreeSSL™ Certificates.
♦ Locked 4 messages Meurer, Jerry L. (EHQ) Reply | Threaded Open this post in threaded view ♦ ♦ | Report Content as Inappropriate ♦ ♦ Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate Create a p12 http://openssl.6102.n7.nabble.com/Create-a-p12-file-with-a-Verisign-Certificate-and-an-Verisign-Intermediate-Certificate-td15113.html file with a Verisign Certificate and an Verisign Intermediate Certificate I'm getting an error attempting to create a p12 file using OpenSSL. I can't seem to find anything that will lead me to a resolution. The error I'm getting is: "unable to get local issuer certificate getting chain" My setup is on a Windows server using Tomcat, with Apache. Apache listening on 80, and redirects to 8080 where the application lives. What I did [hope this is not too unable to detailed]: - 2 years ago we purchased and downloaded an SSL cert from Verisign and named it server.crt, - Downloaded the Intermediate cert (chain). - Created an additional single file with the Intermediate cert, then the SSL cert below that text (concatenated the files with the intermediate on top), saved it as separate file called cachain.crt. - Ran the command: openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name tomcat -Cafile cachain.crt -caname root -chain - This gave unable to get me the server.p12 file that is being used right now. This expires in 12 days :( Now: - I gave our midrange team (who have the account with Verisign) a copy of the server.key file from my web server (from last year), they created a cert.csr file, sent it to Verisign - Sent me back a zip file that contained a cert.arm file (not familiar with an ARM file, but the text within is the certificate) cert.csr, and the server.key file - I downloaded a new Intermediate CA (Managed PKI Standard SSL Intermediate CA.txt) and created a file called cachain.crt (concatenated the files with the intermediate on top and the certificate below). Issue: - I've been attempting to create a server.p12 file using my notes from last year. Installed OpenSSL under c:\openssl -Copied all of the files to c:\openssl\bin Issue the command: C:\OpenSSL\bin>openssl pkcs12 -export -in cert.crt -inkey server.key -o ut server.p12 -name tomcat -CAfile cachain2.crt -caname root -chain Loading 'screen' into random state - done Error unable to get local issuer certificate getting chain. Viewed all of the files using Textpad to ensure Notepad didn't add any funky characters, and also reproduced the same error on my second PC. A tip from another mail archive let me to run the following, and I'm not sure if the problem is here? Current "arm" file, and intermediate chain: openssl x509 -in cert.arm -issuer -noout issuer= /C=US/O=VeriSign, Inc./OU=