Importing certificate chains and intermediate certificates
You might receive an error telling you that the certificate chain is missing when you try to import the certificate that you received from your CA. If you see this error, you must get the complete certificate chain and all of the intermediate certificates from your CA.
Importing a certificate chain
If you receive a certificate chain in a single file, it must have a file name with extension cert_name.p7b (PKCS#7) format. Import the certificate chain by using the following command:
keytool -importcert -keystore $CATALINA_HOME/conf/keystore.p12 -trustcacerts -alias tomcat -keypass <truststore_password> -storepass <truststore_password> -file <certificatefilename> -storetype PKCS12 -providername JsafeJCE -keyalg RSA
- <truststore_password> — The password used to authenticate the truststore certificate. The default keystore password is internal4bmc.
- <certificatefilename> — The name of the certificate chain file; for example, cert_name.p7b
Importing intermediate certificates
If the complete chain is unavailable as a single file, you must import all of the intermediate certificates.
To import the intermediate certificates
- Get all of the intermediate CA certificates leading to the root.
For more information, see Getting-intermediate-CA-certificates. - Import the intermediate certificates and the root certificate into keystore.p12 by using the following command.Start with the root certificate and then import all of the intermediate certificates.
keytool -v -importcert -trustcacerts -alias <UNIQUE_ALIAS> -keyalg RSA -keystore keystore.p12 -storepass <truststore_password> -storetype pkcs12 -providername JsafeJCE -file <intermediatecertfile>
- <truststore_password> — The password used to authenticate the truststore certificate. The default keystore password is internal4bmc.
- <intermediatecertfile> — The name of the intermediate certificate file; for example, cert_name.cer
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*