I have a certificate that has the following chain of certification: Entrust->My CA->My Issuing CA->My JBoss Certificate. Now, if I install my certificate on my JBoss instance, any page I access running on this instance will appear untrusted as My Issuing CA is not recognized by my browser. I know that my computer has the public key for the Entrust signing authority. How can I install my certificate so that any browser can see the entire certificate chain?
I made a single .pem file of all of the certificates thinking that would work. It did not. Can anyone explain what I am doing wrong or even if this is possible?
Adding an intermediate certificates to a pkcs12 file ...
Here's how I do it on my web and mail servers.
First, www-example-com.crt
is the web server cert signed by Startcom. Startcom offers free Class 1 certificates trusted my most browsers and mobile devices, so I use them. The certificate is in PEM format (----- BEGIN CERT -----
and ----- END CERT -----
).
Second, I open www-example-com.crt
and append Startcom's Class 1 Intermediate. I get the intermediate from Startcom's Index of /certs. Now my www-example-com.crt
has two PEM encoded encoded certs in it.
Third, I perform the following to create a PKCS12/PFX file for use in IIS.
openssl pkcs12 -export -in www-example-com.crt -inkey www.example.key -out www-example-com.p12
In your case, your www-example-com.crt
will have at least three PEM encoded certificates in it:
----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----
----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----
----- BEGIN CERT -----
< My CA >
----- END CERT -----
The third cert in the chain - My CA
- is optional. You don't need it if your clients use My CA
as a trust anchor. If you're clients use Entrust
as a trust anchor, then you will need to include it.
If you cat
your www-example-com.crt
and it does NOT have multiple certificates, then do not continue. Don't perform openssl pkcs12
until your server cert has all the required intermediate certificates required to verify the chain.
Do not include the Entrust CA certificate.
I doubt Entrust signs with their CA directly. They probably use an intermediate, too. So your cert chain should probably look like:
----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----
----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----
----- BEGIN CERT -----
< My CA >
----- END CERT -----
----- BEGIN CERT -----
< Entrust Intermediate >
----- END CERT -----
Entrusts provides their CA and Intermediate certificates at Entrust Root Certificates. I can't tell you which one you need because you won't provide a URL or show us the chain you have. But I'm guessing its going to be one or more of:
You can test your chain with OpenSSL's `s_client. This time, you will use Entrust's certifcate:
echo -e "GET / HTTP/1.0\r\n" | openssl s_client -connect myserver:8443 \
-CAfile entrust-ca.pem
You can get entrust-ca.pem
from Entrust Root Certificates. Run it and tell us what errors you get. Or better, post the URL to your server so we can see what's going on.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With