SSL intermediate certificates
We are having a lot of trouble getting our SSL certificates to work properly.
We have generated our keystores (using multiple sources) from an existing key and certificate by first creating a pkcs12 file and exporting it to a java keystore.
Now, Thawte requires that you install 2 intermediate ca files. If I inspect our keystore, all three (the 2 intermediates and our own) are present. Tomcat starts up properly, but on visiting the site (and using the verisign ssl checker), the two intermediate certificates are not picked up.
If anyone has more experience with installing certificates from Thawte, any input would be appreciated. We have the following files at our disposal. Unfortunately we do not have the original keystore used to create the CSR, but we do have the private key.
- CSR file
- Private key (.key file)
- Our .crt file
- The primary and secondary intermediate files from Thawte (as seperate and a bundled .p7b files)
Also, we are using tomcat 7.0.27 without apache.
I answered to your another question, snippets from there should help with this problem too.
One caveat, to add full certificate chain to PKCS#12 keystore you must concatenate all intermediate PEM files like this:
cat specific_ca.pem general_ca.pem root_ca.pem > ca_chain.pem
And specify -CAfile ca_chain.pem and specify -caname multiple time - once for every cert in chain in order they appeared in ca_chain.pem file.
DER to PEM convertation just in case:
openssl x509 -in cert.der -inform der -outform pem -out cert.pem