可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
Generate keystore:
keytool -genkey -alias tomcat -keyalg RSA -keystore my.keystore -keysize 2048
Generate certificate signing request (CSR):
keytool -certreq -alias tomcat -keyalg RSA -file my.csr -keystore my.keystore
I then go off to my hosting provider and get some certificates. These i installed as follows:
keytool -import -alias root -keystore my.keystore -trustcacerts -file gd_bundle-g2-g1.crt keytool -import -alias intermed -keystore my.keystore -trustcacerts -file gdig2.crt keytool -import -alias tomcat -keystore my.keystore -trustcacerts -file my.crt
When I installed the final certificate (my.crt) I got the following error:
keytool error: java.lang.Exception: Failed to establish chain from reply
I believe i have imported the chain and in the correct order so I'm very confused by this message. Can anyone see what I'm doing wrong?
回答1:
I've just discovered that the files godaddy supplied with my certificate are both intermediate certificates (in fact they seem to both be the same intermediate certificate).
I got the correct root and intermediate certificates by double clicking on my certificate and looking at the certificate path... from here I could also download each of these certificates and use the steps used in the question to import them
回答2:
I struggled with the same problem for about two weeks until I found a way around it. The problems was that the root and intermediate certificates that came with my certificate from Godaddy were not the ones I needed. I looked many times in Godaddy's repository unable to find the suitable certificates.
I viewed my certificate on my laptop (using Windows 8.1). There I saw the certificate chain, and I was able to export the root and intermediate certificates. Then I imported them to my keystore and it worked as it should.
To do this follow this instructions:
View your certificate on a computer running Windows. You will be able to see the certificate chain on the third tab that looks as the following image.
Select the root certificate from the chain and click on the button "View Certificate".
- A new window opens, go to the second tab and click on the "Save File" button. This opens an export wizard for your ceritficate.
- When exporting, select the X.509 base 64 option and follow the instructions. Save the file.
- Repeat for the intermediate certificate.
- Upload both certificates to your server and import into the keystore following the order - first root, second intermediate and finally your certificate. [It's not necessary to import the root certificate]
NOTE: Before I imported those certificates, I had to delete the ones that were on my keystore and were not working. To do so, I used the following instructions:
keytool -delete -alias [root] -keystore [keystore file]
If you are not sure what is inside your keytool, you can view by using:
keytool -list -keystore [keystore file]
回答3:
I got same error when trying to import CA certified certificates in to the keystore, in a Linux environment.
I followed set of steps and imported it successfully.
After receiving CA certified certificates, use the following steps to import the certificates into the keystore.
step 1:
Import root certificate to cacerts which will be available at JAVA_HOME/jre/lib/security folder using following command:
keytool -importcert -alias root -file [root certificate] -keystore cacerts
Once you enter above command it will prompt for password, enter password and click on yes.
step 2:
Import root certificate using following command:
keytool -importcert -alias root -file [root certificate] -keystore [keystore file name]
Once you enter above command it will prompt for password, enter password and click on yes.
step 3:
Import intermediate certificate using following command :
keytool -importcert -alias intermediate -file [intermediate certificate] -keystore [key store file name]
once you enter above command it will prompt for replacing the already certificate enter yes.
Note: intermediate certificate is optional can be ignored, it comes with the root certificate.
step 4:
Import site certificate using following command:
keytool -trustcacerts -importcert -alias [alias name which give during keystore creation] -file [site certificate] -keystore [key store file name]
Environment executed this commands are java version 7. certificate are issued by GODADDY.
for more information refer site : http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html#importCertCmd
回答4:
To resolve this issue, use an extra switch (-trustcacerts) in the keytool commands.
The command to import intermediate certificates from the intermediate.cer file to the certificates.ks keystore file should look like this:
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias intermediate -trustcacerts -file intermediate.cer
The command to import the certificate from the http.cer file to the certificates.ks keystore file should look like this:
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias http -trustcacerts -file http.cer
Re-attempt to complete the creation and importing process of a signed SSL Certificate.
回答5:
Download certificate chain, open it on Windows - it stores CA certificate and your certificate answer from CA.
First import CA cert to your keystore and then import answer from CA.
回答6:
The following step is very important before importing the certs into your local key store. After receiving the signed certs from CA).
import root certificate to cacerts which will be available at JAVA_HOME/jre/lib/security folder using following command:
keytool -importcert -alias root -file [root certificate] -keystore cacerts once you enter above command it will prompt for password, enter password and click on yes.
