openssl - Adding an intermediate certificates to a pkcs12 file

Question

I have a certificate that has the following chain of certification: Entrust->My CA->My Issuing CA->My JBoss Certificate. Now, if I install my certificate on my JBoss instance, any page I access running on this instance will appear untrusted as My Issuing CA is not recognized by my browser. I know that my computer has the public key for the Entrust signing authority. How can I install my certificate so that any browser can see the entire certificate chain?

I made a single .pem file of all of the certificates thinking that would work. It did not. Can anyone explain what I am doing wrong or even if this is possible?

Answer 1

Adding an intermediate certificates to a pkcs12 file ...

Here's how I do it on my web and mail servers.

First, www-example-com.crt is the web server cert signed by Startcom. Startcom offers free Class 1 certificates trusted my most browsers and mobile devices, so I use them. The certificate is in PEM format (----- BEGIN CERT ----- and ----- END CERT -----).

Second, I open www-example-com.crt and append Startcom's Class 1 Intermediate. I get the intermediate from Startcom's Index of /certs. Now my www-example-com.crt has two PEM encoded encoded certs in it.

Third, I perform the following to create a PKCS12/PFX file for use in IIS.

openssl pkcs12 -export -in www-example-com.crt -inkey www.example.key -out www-example-com.p12

---

In your case, your www-example-com.crt will have at least three PEM encoded certificates in it:

----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----

----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----

----- BEGIN CERT -----
< My CA >
----- END CERT -----

The third cert in the chain - My CA - is optional. You don't need it if your clients use My CA as a trust anchor. If you're clients use Entrust as a trust anchor, then you will need to include it.

If you cat your www-example-com.crt and it does NOT have multiple certificates, then do not continue. Don't perform openssl pkcs12 until your server cert has all the required intermediate certificates required to verify the chain.

Do not include the Entrust CA certificate.

---

I doubt Entrust signs with their CA directly. They probably use an intermediate, too. So your cert chain should probably look like:

----- BEGIN CERT -----
< My JBoss Certificate >
----- END CERT -----

----- BEGIN CERT -----
< My Issuing CA >
----- END CERT -----

----- BEGIN CERT -----
< My CA >
----- END CERT -----

----- BEGIN CERT -----
< Entrust Intermediate >
----- END CERT -----

Entrusts provides their CA and Intermediate certificates at Entrust Root Certificates. I can't tell you which one you need because you won't provide a URL or show us the chain you have. But I'm guessing its going to be one or more of:

• Entrust L1E Chain Certificate
• Entrust L1C Chain Certificate
• Entrust L1E Chain Certificate (SHA2)
• Entrust L1C Chain Certificate (SHA2)

You can test your chain with OpenSSL's `s_client. This time, you will use Entrust's certifcate:

echo -e "GET / HTTP/1.0
" | openssl s_client -connect myserver:8443 
                                       -CAfile entrust-ca.pem

You can get entrust-ca.pem from Entrust Root Certificates. Run it and tell us what errors you get. Or better, post the URL to your server so we can see what's going on.