This discussion is archived
1 Reply Latest reply: Mar 12, 2013 7:51 AM by MarianoP76 RSS

What should be the correct oreder of certificates in a keystore?

996329 Newbie
Currently Being Moderated
Hello,

We are trying to set the identity an trust keystores. The error we get now is 'Invalid identity certificate signature'. However the server is running fine, only we see this error in the log. We need this to work for a 2-way SSL connection between Weblogic and a webservice.

For the trust keystore I just just the default java cacert keystore and added the public key of our client (and trusted it).
For the identity keystore we started of with a pfx file (using a wildcard certificate). I followed the setps of this url: http://www.digicert.com/ssl-support/jks-import-export-java.htm
If I check the keystore it also looks ok, I see a chain length of 5 certificates (when I check the certificate in the browser it has only a chain of 3 certificates, but the chain in the keystore also looks fine)

[Cer1]
Owner: CN=*.ortec-finance.com
Issuer: CN=COMODO High Assurance Secure Server CA

[Cer2]
Owner: CN=AddTrust External CA Root
Issuer: CN=AddTrust External CA Root

[Cer3]
Owner: CN=UTN - DATACorp SGC
Issuer: CN=AddTrust External CA Root

[Cer4]
Owner: CN=COMODO Certification Authority
Issuer: CN=UTN - DATACorp SGC

[Cer5]
Owner: CN=COMODO High Assurance Secure Server CA
Issuer: CN=COMODO Certification Authority

In the thread: https://cn.forums.oracle.com/forums/thread.jspa?threadID=2363523. It show that this has to do with the order of the keystore. Could it be that?
What should be the correct order of the certifcates?
  • 1. Re: What should be the correct oreder of certificates in a keystore?
    MarianoP76 Newbie
    Currently Being Moderated
    The correct order should be the one with Cer(i+1) owner = Cer(i) issuer:

    [Cer1]
    Owner: CN=*.ortec-finance.com
    Issuer: CN=COMODO High Assurance Secure Server CA

    [Cer2]
    Owner: CN=COMODO High Assurance Secure Server CA
    Issuer: CN=COMODO Certification Authority

    [Cer3]
    Owner: CN=COMODO Certification Authority
    Issuer: CN=UTN - DATACorp SGC

    [Cer4]
    Owner: CN=UTN - DATACorp SGC
    Issuer: CN=AddTrust External CA Root

    [Cer5]
    Owner: CN=AddTrust External CA Root
    Issuer: CN=AddTrust External CA Root


    Bye

    Mariano

    Edited by: MarianoP76 on 12-mar-2013 15.51

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points