Unable to import signed cert in keystore

Similar Messages

• OBIEE 11g SSL Configuration Issue : Unable to import the Server certs

  Hello All,
  We are trying to configure OBIEE 11.1.1.6.0 with SSL using Windows server 2003 (IIS) and facing some issues with that.
  Followed the document : OBIEE11g SSL Setup and Configuration [1326781.1]
  http://obieedue.blogspot.sg/2012/08/obiee11g-ssl-setup-and-configuration.html
  and also completed generating the required certificate signing request and keystores for SSL communication and sent it to the CA (IT Admin team) to to have the certificate signed by CA. The issue comes when I am trying to import the CA certificate (Root certificate) and Server Certificate into the Java Keystore.
  I am importing the Root CA Certificate first which is successfully added to the keystore.
  keytool -import -trustcacerts -alias mycacert -file cacert.pem -keystore mykeystore.jks -storepass Welcome1
  Trust this certificate? [no]: yes
  Certificate was added to keystore.
  But when trying to add the Server Certificate to the keystore using the command below :
  keytool -import -v -alias testserver -file server.cer -keystore mykeystore.jks -keypass Welcome1 -storepass Welcome1
  Certificate reply was installed in keystore
  I get the following error:
  keytool error: java.lang.Exception: Failed to establish chain from reply
  java.lang.Exception: Failed to establish chain from reply
  at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
  at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
  at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
  at sun.security.tools.KeyTool.run(KeyTool.java:172)
  at sun.security.tools.KeyTool.main(KeyTool.java:166)
  Read many forums and tried to convert it to the PKCS#7 format and import the cert to the identity keystore, but was not successful in that either. I have also checked with the IT Admin team and found there is only one RootCA and no other intermediate CA's.
  Please advice if any one has similar issues or suggestions.
  Thanks in advance,
  SVS

  Hi,
  One obvious reason would be that you did not specify -trustcacerts, and the root CA is not included in the present server keystore. In that case, using the -trustcacerts option would solve the problem, if the root CA is indeed in the JDK cacerts.
  To print out the certificates present in the JDK cacerts, use the following command:
  keytool -list -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -v
  Then check if the root CA that signed your server certificate is present, and has not expired (in which case,you would need to re-import a newer one into cacerts).
  Another common reason for that error message is when you have used a proprietary CA to sign your server certificate. Then it would obviously not be in the JDK cacerts. The solution in that case is to import your proprietary root CA into the JDK cacerts, using the following command:
  keytool -import -keystore <JAVA_HOME>/jre/lib/security/cacerts -file yourRootCA.pem -storepass changeit -alias youralias
  A third reason for that error message is when your server was signed by an intermediate certificate. In that case, you would have received from your CA a chain of certificates. One way to solve this (not the only one, but this one works well): Prepend your intermediate CA file to your server cert file, and import the obtained concatenated file into the server keystore. Be careful, the intermediate CA must be BEFORE the server cert. Example:
  copy rootca.cer certchain.p7b
  type server.cer >> certchain.p7b
  The file certchain.p7b will be the concatenation of the intermediate CA and the signed server cert. Then import the newly created file under the key alias as follows:
  keytool -import -keystore serverks.jks -file certchain.p7b -alias yourkey -trustcacerts
  If you only prepend the intermediate root CA, you must make sure the the final root CA is in cacerts. But you can also prepend your whole chain of trust inside the server keystore.
  Regards,
  Kal

• Problem with Java keystore and certificates (unable to find valid cert path

  Our program is made so that when a certificate is not signed by a trusted Certification Authority, it will ask the user if he/her wishes to trust the certificate or not. If they decide to trust the certificate, it will accept the self signed certificate and import it into the keystore and then use that certificate to log the user in. This works fine. It will import the certificate into the keystore and use the specified ip address to establish a connection with the LDAP server (Active Directory in our case) and authenticate properly. However, the problem arises when we then try and connect to a different ip address (without restarting tomcat, if we restart tomcat, it works fine...). It imports the certificate into the keystore fine, but always gives the exception
  "Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
  and does not authenticate with our LDAP server (which is Active Directory). The problem seems to be that it is no longer looking at the System.setProperty("javax.net.ssl.trustStore", myTrustStore);
  I have tried multiple times to just reset this property and try and "force" it to read from my specified trust file when this error happens. I have also imported the certificates directly into the <java_home>/jre/lib/security/cacerts and <java_home>/jre/lib/security/jssecacerts directories as the java documentation says that it will look at those directories first to see if it can find a trusted certificate. However, this does not work either. The only way that I can get this to work is by restarting tomcat all together.
  If both of the certificates are already in the keystore before tomcat is started up, everything will work perfect. Again, the only problem is after first connecting to an IP address using TLS and importing the certificate, and then trying to connect to another IP address with a different certificate and import it into the keystore.
  One of the interesting features of this is that after the second IP address has failed, I can change the IP address back to the first one that authenticated successfully and authenticate successfully again (ie
  I use ip 1.1.1.1, import self signed certificate, authenticates successfully
  login with ip 2.2.2.2 import self signed certificate, FAILS
  login again with 1.1.1.1 (doesn't import certificate because it is already in keystore) successfully authenticates
  Also, I am using java 1.5.0_03.
  Any help is greatly appreciated as I've been trying to figure this out for over a week now.
  Thanks

  Please don't post in threads that are long dead and don't hijack other threads. When you have a question, start your own topic. Feel free to provide a link to an old post that may be relevant to your problem.
  I'm locking this thread now.

• Can't import an OpenSSL signed cert  into a JKS using keytool

  Hey everyone,
  *[Update]* When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server?
  I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system. Any help would be greatly appreciated.
  I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.
  For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match
  Am I doing something wrong in this whole process?
  1) Generate the Private Key for the CA server
  openssl genrsa -out CA.key -des 2048
  2) Generate the CSR on the CA
  openssl req -new -key CA.key -out CA.csr
  3) Sign the new CSR so that it can be used as the root certificate
  openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf
  4) On server1, create Server Private Key KeyStore
  keytool -genkey -alias server1 -keysize 2048 -keyalg RSA -keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"
  5) On server1, create a CSR from the recently created Private Key
  keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr
  6) Transfer the CSR over to the CA (server1) so that it can be signed
  openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf
  7) Transfer CA Public Cert to server1 and Import into keytool
  keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks
  8) Import recently signed CSR to app server keystore (This is where I receive the error)
  keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks
  Thanks!
  Edited by: user13378168 on Feb 11, 2011 2:03 PM

  I got it! Here's how I resolved it.
  1) Going back to the CA server I went and looked at the server1.pem that was produced. I tried to validate it against the CA's certificate
  openssl verify -CAFile CA.pem server1.pem
  server1.pem: /C=REDACTED/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=server1.domain.com
  error 18 at 0 depth lookup:self signed certificate
  OK
  Seemed to be a clear indication that the certificate was not properly signed by OpenSSL.
  2) I tried signing it using a different command I found here: http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
  openssl ca -policy policy_match -config openssl.cnf -extensions v3_ca -cert CA.pem -in server1.csr -keyfile CA.key -days 365 -out server1.pem
  I received a much different set of responses from OpenSSL including
  +Sign the certificate? [y/n]+
  +1 out of 1 certificate requests certified, commit? [y/n]+
  3) I tried my validate command again and got a plain "OK"
  4) I now tried to import this new server1.pem using the keytool command and actually got the following error:
  keytool error: java.security.cert.CertificateParsingException: invalid
  DER-encoded certificate data
  5) When I looked at the file it seems that OpenSSL had added quite a bit of extra certificate information to the file. I deleted everything up to (but not including) the -----BEGIN CERTIFICATE----- line and tried the import one more time and it imported successfully!
  Sabre, thanks for helping me look into this one.
  Edited by: user13378168 on Feb 14, 2011 12:50 PM - Added correct signing command

• Importing self signed cert

  Hi all,
  I need to import a self signed cert to our webdav server. I'm running maven 2 to deploy, and I can't get the ssl certificate into the keystore because I can't find it! Normally I've used the "keytool -import.." to import certs. I recently switched to OS X from Linux/Winbloze, so any help would be greatly appreciated!
  Thanks,
  Todd

  You need to import the certification in the file b64InternetCertificate.txt in the /sysman/config directory of your agent. Full instructions are in chapter 4, 4.7.2 Configuring Beacons to Monitor Web Applications Over HTTPS.

• Code signing cert error using Digicert - Unable to build a valid certificate chain for the signer

  Steps to fix this error on code signing adobe air using .p12 cert from Digicert - Unable to build a valid certificate chain for the signer
  a. Open Firefox and browse to https://www.digicert.com/digicert-root-certificates.htm
  b. On the middle of the page, download -
  DigiCert Assured ID Code Signing CA-1
  Valid until: 10/Feb/2026
  Serial #: 07:F4:73:6F:AF:EF:40:8A:1F:66:40:F2:65:D1:0A:C1
  Thumbprint: B170A10819BEA936905D719E643399783E1F4567
  Download
  c. Install the cert in Firefox
  d. Once done, export again the code signing cert from digicert, through (click Firefox -> Preferences -> View Certificates -> HIghlight the digicert code signing cert -> click Backup)
  e. Done, the newly exported file should now have the valid certificate chain and that should fix the error "Unable to build a valid certificate chain for the signer"
  Even though this is from Digicert, this should also work for other Certificate Authority providers assuming you download your provider's root cert for code signing.
  Regards,
  Reigner S. Yrastorza

  Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
  If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
  If you are using RoboHelp, which version?
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• Self signed cert - X509 - importing & using issues...

  Dear Users,
   please refrain from answers if they are not based on facts as i want to find the real cause of this problem and not like to deal with guesses:
  I'm trying to access the webpage http://www.mastersnet.de but due to some issues with the offered SSL-Cert i can not establish a secure connection - hence no connection to this page over SSL at all.
  Furthermore i'm also not able to import the Cert into my nokia certification store. It works on other mobile phones like devices with windows mobile or the iphone. Checking the content of the cert with openssl x509 -text -in certname is not showing anything suspicious.
  If i export the cert from the windows cert store as DER encoded binary X.509 (.CER) file i'm able to import the cert to the certstore but am not able to set trustlevels or show details.
  It behaves like a placeholder without any function.
  Please bring some light into that - even if it's a bug.
  We tried a E63 and E72 with latest firmware.
  Thanks in advance Stefan
  Attachments:
  masters.der.txt ‏2 KB

  You're right - when using PEAP, you'll only need server certificates for authentication. However - If you want to enforce, that the client only connects to your APs*, the clients need to validate the server certificate. The only way to validate the server cert, it to check, if it was issued by a trusted CA. A trusted CA could be for example VeriSign (per system default) or your own CA (if you added it). Check your Certificate store on your client - you'll find all trusted CAs there.
  If you issue a server cert to your ACS server with a CA, the client doesn't trust, validation is impossible.
  A trusted CA cert is NOT a client certificate.
  *(Rogue-APs simulates valid APs (same SSID, encryption and authentication) to obtain user credentials or other data)

• Weblogic self-signed certs

  Hi Guys, wanted to know whether it's ok to use self-signed certs in prod env when the weblogic server is sitting in DMZ including other down/up stream systems and end users will access the apps via protected proxy servers.

  Hi,
  Following is the standard way of creating self signed certificates..."keytool" is a utility which comes along with JDK installation.
  keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=aaa.bbb.com, OU=Customer Support, O=MyOrganization, L=Denver, ST=Colorado, C=US" -keypass mykeypass -keystore identity.jks -storepass mystorepass
  keytool -selfcert -v -alias <alias> -keypass -keystore .jks -storepass <store password> -storetype jks
  keytool -export -v -alias <alias;> -file <root cert>.der -keystore <key store>.jks -storepass
  keytool -import -v -trustcacerts -alias <alias> -file <root cert>.der -keystore <key store>.jks -storepass
  for detailed informations please visit: http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html
  Thanks
  Jay SenSharma
  http://jaysensharma.wordpress.com (WebLogic Wonders Are Here)
  Edited by: Jay SenSharma on Feb 4, 2010 5:00 PM

• Error while importing CA cert into kerstore

  Hi all,
  I am facing below error while importing CA cet or trusted cert into keystore:
  bash-3.00$ keytool -import -v -trustcacerts -alias tcstestenv -file TCStestCA.cer -keystore keystore.jks
  Enter keystore password:
  keytool error: java.lang.Exception: Public keys in reply and keystore don't match
  java.lang.Exception: Public keys in reply and keystore don't match
  at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
  at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
  at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
  at sun.security.tools.KeyTool.run(KeyTool.java:172)
  at sun.security.tools.KeyTool.main(KeyTool.java:166)
  bash-3.00$ keytool -import -v -trustcacerts -alias tcstestenv -file TCStestCA.cer -keystore keystore.jks
  Enter keystore password:
  keytool error: java.lang.Exception: Public keys in reply and keystore don't match
  java.lang.Exception: Public keys in reply and keystore don't match
  at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
  at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
  at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
  at sun.security.tools.KeyTool.run(KeyTool.java:172)
  at sun.security.tools.KeyTool.main(KeyTool.java:166)
  bash-3.00$ keytool -import -v -alias tcstestenv -file TCStest.cer -keystore keystore.jks
  Enter keystore password:
  keytool error: java.lang.Exception: Public keys in reply and keystore don't match
  java.lang.Exception: Public keys in reply and keystore don't match
  at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
  at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
  at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
  at sun.security.tools.KeyTool.run(KeyTool.java:172)
  at sun.security.tools.KeyTool.main(KeyTool.java:166)
  Regards
  Sunitha

  How did you create an empty keystore? Ideally when you use keytool -genkey command then it generates a keystore and a key. Have you made sure that the cert which you are importing is in PEM format (PEM certs can be opened in any text editor)
  Regards,
  Anuj

• InCommon Code Signing Cert not working in Profile Manager

  We acquired a Code Signing Certificate from InCommon for signing profiles, and it doesn't want to work with Profile Manager.
  In the Certificates section we have our working SSL cert for the web server, and self-signed SSL and Code Signing certs.
  When I try to import the p7s file it lists four non-identity certificates and then says that it can't be used as a code signing certificate. 
  Has anyone ever managed to get an InCommon code signing cert to work with OSX Server?

  Hello,
  In RFC SAP-OSS, i maintained my S-user id and its password.
  As already told my router connectivity and   SAPOSS rfc working fine.
  regards
  Vinayag.K.C

• Unable to import a vid clip of 267 MB from iphoto (6.0.6) to imovie (6.0.3)

  I am unable to import a vid clip of 267 MB from iphoto (6.0.6) to imovie (6.0.3). I tried changing the format from MPEG 1 to MPEG 4 via streamclip 1.8 but when trying to import a window comes up saying "Error during import - the file could not be imported: unknown error". It says this no matter what format I try. (MPEG 1,2,4 and compressing it to a zip. file. (20KBs, 44KBs, 115MBs etc.). Imovie "HELP" says that it should import at least the clip in the MPEG 4 format (115.9 MBs). Any thoughts on this appreciated ---- Toroya

  is your converted file playable with Quicktime Player?
  rename your converted file in Finder .. avoid any 'special' characters as  ☜ ©, blanks, 'signs' | \ …= dots ] ... just letters...
  .. just to mention: iM is a DV-editor.. preferrable, you should work with 'dv-streams' = best quality, no loss, have a look in Streamclip's Export Options ... esp. when working with allready highly compressed material as mpegs ....

• Unable to install signed applications; themes inst...

  Kind of an awkward subject line, I know, but I can't really describe it any other way.
  Last month I tried to install a bunch of Christmas themes for my E66. I signed all of them using my Symbian Signed cert & key with SignSIS, and installed them onto my E:\ through Ovi/Nokia suite. I've been doing this for the past two years and haven't had any issues before.
  Unfortunately, the themes weren't showing up in the Theme section on my phone or in the application manager, but they did come up in UninstallKing. I ended up loading them using the UnSis method ( /t5/Pool-of-Knowledge/Restoring-A-Deleted-or-Vanished-Theme/m-p/367498 ), and they were fine.
  I just tried to reinstall Free-iSMS on my phone since the new version's online "registration" was downright sketchy and didn't work. Unfortunately, all of the versions I've download (v1.03, v1.08, etc.) and signed using SignSIS and Martik REFUSE to install. The cert and key are for the correct IMEI, the certificate date is with in the range, but every time I get the same error: "Unable to install, constrained by the certificate."
  Thinking it was an issue with my certificate and key, I redownloaded them from Symbian Signed and tried to install a theme from Pizero. I signed it using SignSIS and the new cert/keys, and it installed just fine... but still won't show up in the application manager or theme list.
  WTH is going on with my phone?! Did I mess something up when I installed those themes using UnSis?
  Thanks-
  -KC

  Just realized that the problem doesn't occur while downloading and installing via native browser or nokia store

• Self signed cert in safari 4 and windows xp

  Hello there,
  in our company wi have an self signed certificate for testing purposes. over an automatic testing cenario will be tested an application with various browsers. safari under windows brings now an problem and does not accept the self signed cert. the running steps terminating at this point. importing in windows cert store is not helpful.
  has any one an solution to make this cert working with safari and windows? or exist an solution to disable the cert check in safari it self.
  thanks
  greetings
  vito21

  Hello Mick,
  sorry to be late, but may help someone other :)
  Setting:
  NumberFormat currencyFormat = NumberFormat.getCurrencyInstance();and:
  String value = currencyFormat.format(valToDisplay);you can now use value in any component and its view is correct.
  For some objects like files you also need to set the right charset (i.e. the one support the symbol you need).
  For the euro symbol try "windows-1250" as charset.
  Bye

• Import SSL cert into OC4J for remote server

  i have Java code within a JSP that creates a secure URLConnection from within my OC4J container to another local server. this code works just fine when run as a rich application from JDeveloper, but when run from within the OC4J container it throws the following error:
  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Couldn't find trusted certificate
  i have a deadline looming for Monday (June 19th) that requires this communication. what is the supported mechanism for enabling the OC4J instance to connect with Java code via SSL to another server? i know one usually uses the JSSE keystore, but from the OC4J documentation i've seen, it looks like you're supposed to use the Oracle Wallet instead, but i need verification... can anyone help regardring enabling my Java code to communicate with another local SSL server from within my OC4J instance?

  you need to add the cert to your jvm's keystore
  something like this
  http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+Mail+1.3 +documentation#action=openDocument&res_title=Importing_SSL_certificatesicm13&content=pdcon tent
  dont worry its about domino, bottom line its importing a msexchange cert into a java keystore. I use portacle ( http://portecle.sourceforge.net/ ) for managing my java keystores
  edit: I use JUST portacle to import they certs, no need to bother with command line, i left it here for the sake of completeness

• Import Exchange cert into JVM for CF10

  Hello, everyone.
  I'm trying to learn the CFEXCHANGECONNECTION and CFEXCHANGECONTACT tags, and I'm having a bit of an issue.
  When I first started playing around with it, I was getting error messages that the connection couldn't be formed because the Exchange server only accepts https connections, so I set the protocol to https.
  Then I was getting an error message regarding the "cert not installed in CF server", so I managed to get a copy of the SSL cert (DER format .cer file) and followed instructions on how to import it into the JVM that CF uses.
  I'm still getting the error saying that the cert isn't installed in CF server.  Any suggestions?
  V/r,
  ^_^

  you need to add the cert to your jvm's keystore
  something like this
  http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+Mail+1.3 +documentation#action=openDocument&res_title=Importing_SSL_certificatesicm13&content=pdcon tent
  dont worry its about domino, bottom line its importing a msexchange cert into a java keystore. I use portacle ( http://portecle.sourceforge.net/ ) for managing my java keystores
  edit: I use JUST portacle to import they certs, no need to bother with command line, i left it here for the sake of completeness