1 Reply Latest reply: Mar 12, 2013 9:51 AM by MarianoP76 RSS

    What should be the correct oreder of certificates in a keystore?

    996329
      Hello,

      We are trying to set the identity an trust keystores. The error we get now is 'Invalid identity certificate signature'. However the server is running fine, only we see this error in the log. We need this to work for a 2-way SSL connection between Weblogic and a webservice.

      For the trust keystore I just just the default java cacert keystore and added the public key of our client (and trusted it).
      For the identity keystore we started of with a pfx file (using a wildcard certificate). I followed the setps of this url: http://www.digicert.com/ssl-support/jks-import-export-java.htm
      If I check the keystore it also looks ok, I see a chain length of 5 certificates (when I check the certificate in the browser it has only a chain of 3 certificates, but the chain in the keystore also looks fine)

      [Cer1]
      Owner: CN=*.ortec-finance.com
      Issuer: CN=COMODO High Assurance Secure Server CA

      [Cer2]
      Owner: CN=AddTrust External CA Root
      Issuer: CN=AddTrust External CA Root

      [Cer3]
      Owner: CN=UTN - DATACorp SGC
      Issuer: CN=AddTrust External CA Root

      [Cer4]
      Owner: CN=COMODO Certification Authority
      Issuer: CN=UTN - DATACorp SGC

      [Cer5]
      Owner: CN=COMODO High Assurance Secure Server CA
      Issuer: CN=COMODO Certification Authority

      In the thread: https://cn.forums.oracle.com/forums/thread.jspa?threadID=2363523. It show that this has to do with the order of the keystore. Could it be that?
      What should be the correct order of the certifcates?
        • 1. Re: What should be the correct oreder of certificates in a keystore?
          MarianoP76
          The correct order should be the one with Cer(i+1) owner = Cer(i) issuer:

          [Cer1]
          Owner: CN=*.ortec-finance.com
          Issuer: CN=COMODO High Assurance Secure Server CA

          [Cer2]
          Owner: CN=COMODO High Assurance Secure Server CA
          Issuer: CN=COMODO Certification Authority

          [Cer3]
          Owner: CN=COMODO Certification Authority
          Issuer: CN=UTN - DATACorp SGC

          [Cer4]
          Owner: CN=UTN - DATACorp SGC
          Issuer: CN=AddTrust External CA Root

          [Cer5]
          Owner: CN=AddTrust External CA Root
          Issuer: CN=AddTrust External CA Root


          Bye

          Mariano

          Edited by: MarianoP76 on 12-mar-2013 15.51