I got 4 .crt
files from a CA as follows,
AddTrustExternalCARoot.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
demo_site_domain.crt
second and third are intermediate certificates. I want to import .crt file(s) to wso2carbon.jks store and replace it with the existing jks of a wso2 server as documented here.
My problem is, document wants wso2carbon
as the alias, but I can import only one certificate using that alias, therefore which .crt file should I import? Or should I import a composite .crt file which is created from above four crt files (is it possible?)
I tried with AddTrustExternalCARoot.crt
and demo_site_domain.crt
but after I set up the .jks file in the wso2 server, server url gives the following error,
Secure Connection Failed
The connection to ip:port was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
What am I doing wrong here?
The wso2 server that I am using is WSO2 UES
and I have to place the password in following four files to overcome the Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
error.
repository/conf/security/cipher-text.properties
repository/conf/identity.xml
repository/conf/carbon.xml
repository/conf/tomcat/catalina-server.xml
UPDATE:
I followed the answer given, but last command doesn't give the installed in keystore
instead it is Certificate was added to keystore
following are my comands and repsponses ,
keytool -importcert -keystore wso2carbon.jks -file AddTrustExternalCARoot.crt -alias commoroot -trustcacerts
Enter keystore password:
Re-enter new password:
Certificate already exists in system-wide CA keystore under alias
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore
keytool -importcert -keystore wso2carbon.jks -file COMODORSAAddTrustCA.crt -alias commointermediate1
Enter keystore password:
Certificate was added to keystore
keytool -importcert -keystore wso2carbon.jks -file COMODORSADomainValidationSecureServerCA.crt -alias commointermediate2
Enter keystore password:
Certificate was added to keystore
keytool -importcert -keystore wso2carbon.jks -file demo_site_domain.crt -alias wso2carbon
Enter keystore password:
Certificate was added to keystore
(Meta: I'm pretty sure this is a duplicate, but I can't find a good one. Answering anyway.)
That page seems to be missing all of the dashes required on keytool
commandline options and in PEM file formats; assuming you already corrected for that:
In item 3 it says "you might have to import any intermediate certificates ... before you can import your [CA-]signed certificate". In fact, you do. There are two ways to do this:
1: Import each cert other than your server (or other End Entity) cert, from the top down, to separate entries in the keystore; for your case:
keytool -importcert -keystore wso2carbon.jks -file AddTrustExternalCARoot -alias somealias1 -trustcacerts
keytool -importcert -keystore wso2carbon.jks -file COMODORSAAddTrustCA.crt -alias somealias2
keytool -importcert -keystore wso2carbon.jks -file COMODORSADomainValidationSecureServerCA.crt -alias somealias3
where somealias{1,2,3}
are aliases different from each other and different from any alias already in the keystore especially wso2carbon
. (edit) (figured out how to get the code lines formatted correctly)
Then import your server cert to the (edit) same alias in the same keystore file where the -genkeypair
and -certreq
were previously done (or alternatively to an alias which is a copy in this keystore of the PrivateKey entry that was earlier created by -genkeypair
and -certreq
):
keytool -importcert -keystore wso2carbon.jks -file demo_site_domain.crt -alias wso2carbon
This (last) step should say Certificate reply was installed in keystore
NOT Certificate was added to keystore
. Otherwise it actually failed, even though it didn't give an error message.
2: concatenate all the certs in one file, with the server (EE) cert first, and import that combined file to (edit) the same alias in the same keystore file used earlier (or to a copy of that privateKey entry):
# assuming any kind of Unix
cat demo_site_domain.crt COMODORSADomainValidationSecureServerCA.crt \
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >combinedfile
# if Windows use copy a+b+etc or (for PEM) cut&paste in a plaintext editor like Notepad
keytool -importcert -keystore wso2carbon.jks -file combinedfile -alias wso2carbon -trustcacerts
The order of the certs other than first doesn't actually matter here, but they will be stored in the keystore and used in the SSL/TLS protocol in "upward" order, so I use that order in the cat
for consistency and clarity.
(edit) If there is at any time any doubt what entries you have or don't have in a given keystore file, you can list them with keytool -list -v -keystore filename
. Any entry you generate with -genkeypair
is a PrivateKey
entry, and will contain either a self-signed cert automatically generated by keytool
or a certificate with chain you have obtained from a CA. The display format is rather straggly and can be confusing, but look for the lines like Certificate[1]:
Certificate[2]:
etc. followed immediately by lines for Owner:
(which means Subject in standard terminology) and Issuer:
.
On the other hand each CA root or intermediate cert you import separately will be a trustedCert
entry containing only that one cert.
Also the page says you need to import your "signed certificate" into client-truststore.jks
. I believe that's wrong. You DO usually need to put a self-signed cert in any client truststore(s), but you should NOT need to do this for a cert signed by a well-known CA, which Comodo/Addtrust is. However, it doesn't hurt to add an unnecessary but valid cert to the truststore.