That's what I call an answer! It explained a lot. Orion guys, pleas add that
to your SSL howto.
You can also retrieve a cert+CAcert already chained right from Thawte.
Select an SSL type test cert and also check the chaining setting on the web
page for test cert generation.
/David
----- Original Message -----
From: Mike Atkin [mailto:[EMAIL PROTECTED]]
To: "Orion-Interest" <[EMAIL PROTECTED]>
Subject: SSL question
The problem with the first command is that keytool can't find the root ca
certificates in your keystore and therefore can't build up the certificate
chain from your server key to the trusted root certificate authority. With
the second example, keytool is using the system keystore and can locate the
root ca certs in <jdk-dir>/jre/lib/security/cacerts.
When I created my keystore I used a certificate from bt trustwise which is
an intermediate ca so I had yet another cert to add. The commands went
something like this (assume keystore does not yet exist):
keytool -keystore keystore -import -alias cacert -file cacert.cer
keytool -keystore keystore -import -alias intercert -file inter.cer // Only
need this if you are using an intermediate signing authority like BT
Trustwise
keytool -keystore keystore -genkey -keyalg RSA -alias serverkey
keytool -keystore keystore -certreq -file my.host.com.csr
Get cert from csr then:
keytool -keystore keystore -import -file my.host.com.cer -alias serverkey
That should be that. You can do a keytool -keystore keystore -v -list and
check that a cert chain has been built.
You can probably get round your problem just by importing the ca certs into
your keystore and then trying to re-add your server cert.
HTH
Mike
