Adding an intermediate certificates to a pkcs12 file
Adding an intermediate certificates to a pkcs12 file ...
Here's how I do it on my web and mail servers.
First, www-example-com.crt
is the web server cert signed by Startcom. Startcom offers free Class 1 certificates trusted my most browsers and mobile devices, so I use them. The certificate is in PEM format (----- BEGIN CERT -----
and ----- END CERT -----
).
Second, I open www-example-com.crt
and append Startcom's Class 1 Intermediate. I get the intermediate from Startcom's Index of /certs. Now my www-example-com.crt
has two PEM encoded encoded certs in it.
Third, I perform the following to create a PKCS12/PFX file for use in IIS.
openssl pkcs12 -export -in www-example-com.crt -inkey www.example.key -out www-example-com.p12
In your case, your www-example-com.crt
will have at least three PEM encoded certificates in it:
----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----
----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----
----- BEGIN CERT -----
< My CA >
----- END CERT -----
The third cert in the chain - My CA
- is optional. You don't need it if your clients use My CA
as a trust anchor. If you're clients use Entrust
as a trust anchor, then you will need to include it.
If you cat
your www-example-com.crt
and it does NOT have multiple certificates, then do not continue. Don't perform openssl pkcs12
until your server cert has all the required intermediate certificates required to verify the chain.
Do not include the Entrust CA certificate.
I doubt Entrust signs with their CA directly. They probably use an intermediate, too. So your cert chain should probably look like:
----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----
----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----
----- BEGIN CERT -----
< My CA >
----- END CERT -----
----- BEGIN CERT -----
< Entrust Intermediate >
----- END CERT -----
Entrusts provides their CA and Intermediate certificates at Entrust Root Certificates. I can't tell you which one you need because you won't provide a URL or show us the chain you have. But I'm guessing its going to be one or more of:
- Entrust L1E Chain Certificate
- Entrust L1C Chain Certificate
- Entrust L1E Chain Certificate (SHA2)
- Entrust L1C Chain Certificate (SHA2)
You can test your chain with OpenSSL's `s_client. This time, you will use Entrust's certifcate:
echo -e "GET / HTTP/1.0\r\n" | openssl s_client -connect myserver:8443 \
-CAfile entrust-ca.pem
You can get entrust-ca.pem
from Entrust Root Certificates. Run it and tell us what errors you get. Or better, post the URL to your server so we can see what's going on.