Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate

Meurer, Jerry L. (EHQ)
Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate

I'm getting an error attempting to create a p12 file using OpenSSL.  I can't seem to find anything that will lead me to a resolution.  The error I'm getting is:

"unable to get local issuer certificate getting chain"

My setup is on a Windows server using Tomcat, with Apache. Apache listening on 80, and redirects to 8080 where the application lives.

What I did [hope this is not too detailed]:
- 2 years ago we purchased and downloaded an SSL cert from Verisign and named it server.crt,
- Downloaded the Intermediate cert (chain). 
- Created an additional single file with the Intermediate cert, then the SSL cert below that text (concatenated the files with the intermediate on top), saved it as separate file called cachain.crt.

- Ran the command:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name tomcat -Cafile cachain.crt -caname root -chain

- This gave me the server.p12 file that is being used right now.  This expires in 12 days :(

Now:
- I gave our midrange team (who have the account with Verisign) a copy of the server.key file from my web server (from last year), they created a cert.csr file, sent it to Verisign

- Sent me back a zip file that contained a cert.arm file (not familiar with an ARM file, but the text within is the certificate) cert.csr, and the server.key file

- I downloaded a new Intermediate CA (Managed PKI Standard SSL Intermediate CA.txt) and created a file called cachain.crt (concatenated the files with the intermediate on top and the certificate below).

Issue:
- I've been attempting to create a server.p12 file using my notes from last year.  Installed OpenSSL under c:\openssl

-Copied all of the files to c:\openssl\bin

Issue the command:
C:\OpenSSL\bin>openssl pkcs12 -export -in cert.crt -inkey server.key -o
ut server.p12 -name tomcat -CAfile cachain2.crt -caname root -chain
Loading 'screen' into random state - done
Error unable to get local issuer certificate getting chain.


Viewed all of the files using Textpad to ensure Notepad didn't add any funky characters, and also reproduced the same error on my second PC.

A tip from another mail archive let me to run the following, and I'm not sure if the problem is here?

Current "arm" file, and intermediate chain:
openssl x509 -in cert.arm -issuer -noout
issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at http
s://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA

openssl x509 -in chain.crt -issuer -noout
issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

Here's what it shows on the production files that are working fine (but due to expire soon).
Old crt file and chain (that is in production now)
C:\OpenSSL\GnuWin32\bin>openssl x509 -in chain_old.crt -issuer -noout
issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority


openssl x509 -in cert_old.crt -issuer -noout
issuer= /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Se
rver CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 Ver
iSign

There is also the possibility that there is something wrong with the cert, but I just don't know.  My midrange friends are on vacation for a while, so I'm on my own.  Please help if you can.

Thank you.



******* Confidentiality Notice *******
This email, its electronic document attachments, and the contents of its website linkages may contain confidential health information. This information is intended solely for use by the individual or entity to whom it is addressed. If you have received this information in error, please notify the sender immediately and arrange for the prompt destruction of the material and any accompanying attachments.

Reply | Threaded
Open this post in threaded view
|

Re: Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate

Dr. Stephen Henson
On Fri, Jan 11, 2008, Meurer, Jerry L. (STL) wrote:

> I'm getting an error attempting to create a p12 file using OpenSSL.  I
> can't seem to find anything that will lead me to a resolution.  The
> error I'm getting is:
> "unable to get local issuer certificate getting chain"
>
> My setup is on a Windows server using Tomcat, with Apache. Apache
> listening on 80, and redirects to 8080 where the application lives.
>
> What I did [hope this is not too detailed]:
> - 2 years ago we purchased and downloaded an SSL cert from Verisign and
> named it server.crt,
> - Downloaded the Intermediate cert (chain).  
> - Created an additional single file with the Intermediate cert, then the
> SSL cert below that text (concatenated the files with the intermediate
> on top), saved it as separate file called cachain.crt.
> - Ran the command:
> openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
> -name tomcat -Cafile cachain.crt -caname root -chain
> - This gave me the server.p12 file that is being used right now.  This
> expires in 12 days :(
>
> Now:
> - I gave our midrange team (who have the account with Verisign) a copy
> of the server.key file from my web server (from last year), they created
> a cert.csr file, sent it to Verisign
> - Sent me back a zip file that contained a cert.arm file (not familiar
> with an ARM file, but the text within is the certificate) cert.csr, and
> the server.key file
> - I downloaded a new Intermediate CA (Managed PKI Standard SSL
> Intermediate CA.txt) and created a file called cachain.crt (concatenated
> the files with the intermediate on top and the certificate below).
>
> Issue:
> - I've been attempting to create a server.p12 file using my notes from
> last year.  Installed OpenSSL under c:\openssl
>
> -Copied all of the files to c:\openssl\bin
>
> Issue the command:
> C:\OpenSSL\bin>openssl pkcs12 -export -in cert.crt -inkey server.key -o
> ut server.p12 -name tomcat -CAfile cachain2.crt -caname root -chain
> Loading 'screen' into random state - done
> Error unable to get local issuer certificate getting chain.
>
>
> Viewed all of the files using Textpad to ensure Notepad didn't add any
> funky characters, and also reproduced the same error on my second PC.
>
> A tip from another mail archive let me to run the following, and I'm not
> sure if the problem is here?
>
> Current "arm" file, and intermediate chain:
> openssl x509 -in cert.arm -issuer -noout
> issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> at http
> s://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
>
> openssl x509 -in chain.crt -issuer -noout
> issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
> Here's what it shows on the production files that are working fine (but
> due to expire soon).
> Old crt file and chain (that is in production now)
> C:\OpenSSL\GnuWin32\bin>openssl x509 -in chain_old.crt -issuer -noout
> issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
>
> openssl x509 -in cert_old.crt -issuer -noout
> issuer= /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
> International Se
> rver CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
> LTD.(c)97 Ver
> iSign
>
> There is also the possibility that there is something wrong with the
> cert, but I just don't know.  My midrange friends are on vacation for a
> while, so I'm on my own.  Please help if you can.
> Thank you.
>
>

I suspect there were two certificates in the chain before and now there are
three or the previous intermediate file included all CA certificates and now
only includes the intermediate and not the root.

See how many certificate are in the two chain.crt files?

Then do:

openssl x509 -subject -issuer -in chain.crt

on each. The solution I suspect is to append the root CA file to the chain.crt
file. This is probably the file certs/vsign3.pem in the OpenSSL distribution.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate

Meurer, Jerry L. (EHQ)
Got this working and thank you.  Got some help from people smarter than
I, and here are the steps we took to create the keystore needed to make
this setup work. If anyone finds this thread and wants to know how it
was fixed, here are the steps we used:

1. Convert the certificate to a pkcs12 format using openssl:

openssl pkcs12 -export -in example.crt -inkey example.key -out
keystore.pkcs12

2. Make sure that you have the JAVA Development Kit installed on the box

java -version

3. Download the Jetty tool from the following web site:

http://jetty.mortbay.org/

  3a. Unzip it to your working folder.

  3b. Run the following command to convert the pkcs12 file to a JKS
format:

java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar
org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks
Enter input keystore passphrase: CantGuess
Enter output keystore passphrase: CantGuess
Alias 0: 1
Adding key for alias 1

4. Validate that you can read the jks file:

keytool -list -v -keystore keystore.jks

Done.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Friday, January 11, 2008 4:13 PM
To: [hidden email]
Subject: Re: Create a p12 file with a Verisign Certificate and an
Verisign Intermediate Certificate

On Fri, Jan 11, 2008, Meurer, Jerry L. (STL) wrote:

> I'm getting an error attempting to create a p12 file using OpenSSL.  I

> can't seem to find anything that will lead me to a resolution.  The
> error I'm getting is:
> "unable to get local issuer certificate getting chain"
>
> My setup is on a Windows server using Tomcat, with Apache. Apache
> listening on 80, and redirects to 8080 where the application lives.
>
> What I did [hope this is not too detailed]:
> - 2 years ago we purchased and downloaded an SSL cert from Verisign
> and named it server.crt,
> - Downloaded the Intermediate cert (chain).  
> - Created an additional single file with the Intermediate cert, then
> the SSL cert below that text (concatenated the files with the
> intermediate on top), saved it as separate file called cachain.crt.
> - Ran the command:
> openssl pkcs12 -export -in server.crt -inkey server.key -out
> server.p12 -name tomcat -Cafile cachain.crt -caname root -chain
> - This gave me the server.p12 file that is being used right now.  This

> expires in 12 days :(
>
> Now:
> - I gave our midrange team (who have the account with Verisign) a copy

> of the server.key file from my web server (from last year), they
> created a cert.csr file, sent it to Verisign
> - Sent me back a zip file that contained a cert.arm file (not familiar

> with an ARM file, but the text within is the certificate) cert.csr,
> and the server.key file
> - I downloaded a new Intermediate CA (Managed PKI Standard SSL
> Intermediate CA.txt) and created a file called cachain.crt
> (concatenated the files with the intermediate on top and the
certificate below).
>
> Issue:
> - I've been attempting to create a server.p12 file using my notes from

> last year.  Installed OpenSSL under c:\openssl
>
> -Copied all of the files to c:\openssl\bin
>
> Issue the command:
> C:\OpenSSL\bin>openssl pkcs12 -export -in cert.crt -inkey server.key
> -o ut server.p12 -name tomcat -CAfile cachain2.crt -caname root -chain

> Loading 'screen' into random state - done Error unable to get local
> issuer certificate getting chain.
>
>
> Viewed all of the files using Textpad to ensure Notepad didn't add any

> funky characters, and also reproduced the same error on my second PC.
>
> A tip from another mail archive let me to run the following, and I'm
> not sure if the problem is here?
>
> Current "arm" file, and intermediate chain:
> openssl x509 -in cert.arm -issuer -noout issuer= /C=US/O=VeriSign,
> Inc./OU=VeriSign Trust Network/OU=Terms of use at http
> s://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
>
> openssl x509 -in chain.crt -issuer -noout issuer= /C=US/O=VeriSign,
> Inc./OU=Class 3 Public Primary Certification Authority
>
> Here's what it shows on the production files that are working fine
> (but due to expire soon).
> Old crt file and chain (that is in production now)
> C:\OpenSSL\GnuWin32\bin>openssl x509 -in chain_old.crt -issuer -noout
> issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification

> Authority
>
>
> openssl x509 -in cert_old.crt -issuer -noout issuer= /O=VeriSign Trust

> Network/OU=VeriSign, Inc./OU=VeriSign International Se rver CA - Class

> 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
> LTD.(c)97 Ver
> iSign
>
> There is also the possibility that there is something wrong with the
> cert, but I just don't know.  My midrange friends are on vacation for
> a while, so I'm on my own.  Please help if you can.
> Thank you.
>
>

I suspect there were two certificates in the chain before and now there
are three or the previous intermediate file included all CA certificates
and now only includes the intermediate and not the root.

See how many certificate are in the two chain.crt files?

Then do:

openssl x509 -subject -issuer -in chain.crt

on each. The solution I suspect is to append the root CA file to the
chain.crt file. This is probably the file certs/vsign3.pem in the
OpenSSL distribution.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]





******* Confidentiality Notice *******
This email, its electronic document attachments, and the contents of its website linkages may contain confidential health information.  This information is intended solely for use by the individual or entity to whom it is addressed.  If you have received this information in error, please notify the sender immediately and arrange for the prompt destruction of the material and any accompanying attachments.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate

juliusdavies
Hi,

If I may toot my horn....

If you use "not-yet-commons-ssl.jar" from
http://juliusdavies.ca/commons-ssl/  you can skip step #1.  It will
convert to java keystore directly from the OpenSSL files.  It password
protects the keystore with the same password as the private key.

Assumptions for example below:
1. password to decrypt private key is = "changeit" and private key is
in "example.key"
2. server-chain (can be single self-signed cert) is in "server.crt".

-------------------
$  java -cp not-yet-commons-ssl-0.3.9.jar
org.apache.commons.ssl.KeyStoreBuilder changeit example.key server.crt
Successfuly wrote: [demo_certificate.jks]


It extracts the CN and uses that to name the "jks" file.  If we then
analyze the results using the "org.apache.commons.ssl.KeyMaterial"
utility, we can see that "CN=demo_certificate," among other
interesting facts.


$ java -cp not-yet-commons-ssl-0.3.9.jar
org.apache.commons.ssl.KeyMaterial changeit demo_certificate.jks
Alias: demo_certificate
demo_certificate
Valid: 2006/Nov/05 - 2007/Nov/05
s: EMAILADDRESS=[hidden email], CN=demo_certificate,
OU=commons_ssl, O=www.cucbc.com, L=Vancouver, ST=BC, C=CA
i: EMAILADDRESS=[hidden email], CN=demo_intermediate_ca,
OU=commons_ssl, O=www.cucbc.com, L=Vancouver, ST=BC, C=CA


yours,

Julius




On Jan 17, 2008 2:25 PM, Meurer, Jerry L. (EHQ)
<[hidden email]> wrote:

> Got this working and thank you.  Got some help from people smarter than
> I, and here are the steps we took to create the keystore needed to make
> this setup work. If anyone finds this thread and wants to know how it
> was fixed, here are the steps we used:
>
> 1. Convert the certificate to a pkcs12 format using openssl:
>
> openssl pkcs12 -export -in example.crt -inkey example.key -out
> keystore.pkcs12
>
> 2. Make sure that you have the JAVA Development Kit installed on the box
>
> java -version
>
> 3. Download the Jetty tool from the following web site:
>
> http://jetty.mortbay.org/
>
>   3a. Unzip it to your working folder.
>
>   3b. Run the following command to convert the pkcs12 file to a JKS
> format:
>
> java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar
> org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks
> Enter input keystore passphrase: CantGuess
> Enter output keystore passphrase: CantGuess
> Alias 0: 1
> Adding key for alias 1
>
> 4. Validate that you can read the jks file:
>
> keytool -list -v -keystore keystore.jks
>
> Done.
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
> Sent: Friday, January 11, 2008 4:13 PM
> To: [hidden email]
> Subject: Re: Create a p12 file with a Verisign Certificate and an
> Verisign Intermediate Certificate
>
> On Fri, Jan 11, 2008, Meurer, Jerry L. (STL) wrote:
>
> > I'm getting an error attempting to create a p12 file using OpenSSL.  I
>
> > can't seem to find anything that will lead me to a resolution.  The
> > error I'm getting is:
> > "unable to get local issuer certificate getting chain"
> >
> > My setup is on a Windows server using Tomcat, with Apache. Apache
> > listening on 80, and redirects to 8080 where the application lives.
> >
> > What I did [hope this is not too detailed]:
> > - 2 years ago we purchased and downloaded an SSL cert from Verisign
> > and named it server.crt,
> > - Downloaded the Intermediate cert (chain).
> > - Created an additional single file with the Intermediate cert, then
> > the SSL cert below that text (concatenated the files with the
> > intermediate on top), saved it as separate file called cachain.crt.
> > - Ran the command:
> > openssl pkcs12 -export -in server.crt -inkey server.key -out
> > server.p12 -name tomcat -Cafile cachain.crt -caname root -chain
> > - This gave me the server.p12 file that is being used right now.  This
>
> > expires in 12 days :(
> >
> > Now:
> > - I gave our midrange team (who have the account with Verisign) a copy
>
> > of the server.key file from my web server (from last year), they
> > created a cert.csr file, sent it to Verisign
> > - Sent me back a zip file that contained a cert.arm file (not familiar
>
> > with an ARM file, but the text within is the certificate) cert.csr,
> > and the server.key file
> > - I downloaded a new Intermediate CA (Managed PKI Standard SSL
> > Intermediate CA.txt) and created a file called cachain.crt
> > (concatenated the files with the intermediate on top and the
> certificate below).
> >
> > Issue:
> > - I've been attempting to create a server.p12 file using my notes from
>
> > last year.  Installed OpenSSL under c:\openssl
> >
> > -Copied all of the files to c:\openssl\bin
> >
> > Issue the command:
> > C:\OpenSSL\bin>openssl pkcs12 -export -in cert.crt -inkey server.key
> > -o ut server.p12 -name tomcat -CAfile cachain2.crt -caname root -chain
>
> > Loading 'screen' into random state - done Error unable to get local
> > issuer certificate getting chain.
> >
> >
> > Viewed all of the files using Textpad to ensure Notepad didn't add any
>
> > funky characters, and also reproduced the same error on my second PC.
> >
> > A tip from another mail archive let me to run the following, and I'm
> > not sure if the problem is here?
> >
> > Current "arm" file, and intermediate chain:
> > openssl x509 -in cert.arm -issuer -noout issuer= /C=US/O=VeriSign,
> > Inc./OU=VeriSign Trust Network/OU=Terms of use at http
> > s://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
> >
> > openssl x509 -in chain.crt -issuer -noout issuer= /C=US/O=VeriSign,
> > Inc./OU=Class 3 Public Primary Certification Authority
> >
> > Here's what it shows on the production files that are working fine
> > (but due to expire soon).
> > Old crt file and chain (that is in production now)
> > C:\OpenSSL\GnuWin32\bin>openssl x509 -in chain_old.crt -issuer -noout
> > issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>
> > Authority
> >
> >
> > openssl x509 -in cert_old.crt -issuer -noout issuer= /O=VeriSign Trust
>
> > Network/OU=VeriSign, Inc./OU=VeriSign International Se rver CA - Class
>
> > 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
> > LTD.(c)97 Ver
> > iSign
> >
> > There is also the possibility that there is something wrong with the
> > cert, but I just don't know.  My midrange friends are on vacation for
> > a while, so I'm on my own.  Please help if you can.
> > Thank you.
> >
> >
>
> I suspect there were two certificates in the chain before and now there
> are three or the previous intermediate file included all CA certificates
> and now only includes the intermediate and not the root.
>
> See how many certificate are in the two chain.crt files?
>
> Then do:
>
> openssl x509 -subject -issuer -in chain.crt
>
> on each. The solution I suspect is to append the root CA file to the
> chain.crt file. This is probably the file certs/vsign3.pem in the
> OpenSSL distribution.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
> project core developer and freelance consultant.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
>
>
>
> ******* Confidentiality Notice *******
> This email, its electronic document attachments, and the contents of its website linkages may contain confidential health information.  This information is intended solely for use by the individual or entity to whom it is addressed.  If you have received this information in error, please notify the sender immediately and arrange for the prompt destruction of the material and any accompanying attachments.
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>



--
yours,

Julius Davies
250-592-2284 (Home)
250-893-4579 (Mobile)
http://juliusdavies.ca/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]