2 Replies Latest reply on Jul 16, 2020 7:50 AM by happy10319

    Certificate chain is invalid

    happy10319

      Hi,

      We created a keystore:

      keytool -genkeypair -alias server_cert -keyalg RSA -keysize 2048 -keypass key123 -keystore identity.jks -storepass welcome1 -validity 3650

       

       

      Then we imported the valide certificats:

       

      keytool -importcert -alias root -file root.cer -keystore identity.jks -storepass welcome1

      Certificate was added to keystore.

       

      keytool -importcert -alias inter -file inter.cer -keystore identity.jks -storepass welcome1

      Certificate was added to keystore

       

      keytool -importcert -alias server -file server.cer -keystore identity.jks -storepass welcome1

       

      Certificate was added to keystore

       

      But:

       

      java utils.ValidateCertChain -jks server_cert identity.jks

      Cert[0]: CN=server.com ,OU=myorganizationalunit,O=myorganization,L=mycity,ST=mystate,C=FR

      CA cert not marked with critical BasicConstraint indicating it is a CA

      Certificate chain is invalid

       

       

      Thank for help

        • 1. Re: Certificate chain is invalid
          Nik

          Hi.

          It's look like this issue: ValidateCertChain Command Gives Error "Certificate chain is invalid" (Doc ID 2330071.1)

           

          You should import  root certificate in the Oracle wallet.

           

          Regards,

             Nik.

          • 2. Re: Certificate chain is invalid
            happy10319

            Hi,

            Thank you.

            "You should import  root certificate in the Oracle wallet."

             

            In that note ( Doc ID 2330071.1 )  it is said:

            =================================================================================

            Cause

            The ewallet.jks file is generated by converting a Oracle wallet to keystore using the below document.

            ====================================================================================

            But  the keystore is created by:

            • keytool -genkeypair -alias server_cert -keyalg RSA -keysize 2048 -keypass key123 -keystore identity.jks -storepass welcome1 -validity 3650

            And not generated by converting a Oracle wallet.

             

             

            Best regards.