How to manually separate the server, intermediate, and root certificates from a single signed certificate
Summary:This article describes how to manually separate the server, intermediate, and root certificates from a single signed certificate in Windows or Linux.
Please select a product to check article relevancy
This article applies to This article does not apply to
When importing a signed certificate into the temporary keystore, it is important to import the full certificate chain. In order to validate that the website is secure and that the certificate has been signed by a trusted certificate authority, the browser must have access to the the certificate chain. The "chain of trust", allows the browser to establish a trusted connection by providing the full path from the signed certificate to the root certificate. There may be one or more intermediate certificates in between as well.
All of the certificates connecting the signed server certificate to the root certificate make up the certificate chain. The chain is used to validate a secure connection (https) to the webserver based on it being issued from a trusted certificate authority. Without the full certificate chain, the browser will not be able to validate a secure connection.
Some certificate file types will contain the signed server certificate, intermediate certificates, and root certificate in one file.In those cases, it may be possible to import the full chain at one time.
Typically those files are PKCS#12 (.pfx or .p12)- which can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. They can also be in PKCS#7 format (.p7b or .p7c)- which contain only the certificates in the chain, not private keys. Certificates in PEM format (.pem, .crt, .cer, or .key)- can include the server certificate, the intermediate certificate and the private key in a single file. The server certificate and intermediate certificate can also be in a separate .crt or .cer files and the private key can be in a .key file.
You can check to see if the full certificate chain is in one file by opening it in a text editor. Each certificate is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements. The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements.
If the file does not contain the full certificate chain, you may have to import each portion of the certificate manually- from the root certificate to the server certificate. In some cases, the customer can get each of the intermediate certificates and root certificate in separate files from the CA. Some CAs will provide the chain leading up to the server certificate in a separate file. In those cases, import each file into the temporary keystore (root first, than intermediate (s), then server certificate) using the command below and a different alias for each: keytool -import -trustcacerts -alias aliasname -keystore temp.keystore -file cert.file
Note: You will change the alias and file names based on the alias and file names used when generating the csr. Always use the alias root when importing the root CA certificate and always use the alias used to generate the csr file when importing the server certificate. The aliases for the intermediate certificates are used as identifiers, but can be whatever you like as long as each is unique.
If the CA does not provide each of these files for you and you need to separate them manually into root, intermediate, and server certificate, you can do so in one of two ways: In Windows: When you receive the signed certificate file, open it in Windows to see the path to the root certificate:
For the Root certificate and any intermediate certificates, highlight each (one at a time) and click View Certificate . From this window click View Details > Copy to File > use Base-64 encoded X.509 (.cer) format and save each. Make sure to label them so you can import them in order (i.e root.cer, intermediate01.cer, emcdpa.cer). The root certificate will be the only one issued to itself by itself. For example:
Once you have saved each, move them to dpa\services\_jre\bin on the application server. Using the following commands from dpa\services\_jre\bin to import the Root certificate, any intermediate certificates, and the end certificate files. Note: These are the files you created in the last step so be sure to change the file names and file paths as needed, as well as the keystore password which will need to match the one being used in this environment.
keytool -import -trustcacerts -alias root -keystore new.keystore -file root.cer *It should ask you if this is a trusted root certificate- say yes (y) and hit enter, then enter the password keytool -import -trustcacerts -alias intermediate01 -keystore new.keystore -file intermediate01.cer keytool -import -trustcacerts -alias emcdpa -keystore new.keystore -file emcdpa.cer
Then, verify that the certificate was imported correctly using: keytool -list -v -keystore new.keystore -storepass keystorepw
If it imported properly, you should see the full certificate chain here.
In Linux: Open the csr file in a text editor. Identify each of the certificates by the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements.
To separate each one into it's own file, copy the contents of each including the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements on either end. Paste the contents of each into separate text files and label them based on the order they are placed in the original signed certificate file. The first will be the server s signed certificate, the last will be the root certificate, anything in between are intermediate certificates.
In the example below, I ve replaced the encrypted content to describe each certificate in the chain according to the order they appear in the file: ---- BEGIN CERTIFICATE---- Issued To: webserver01.emc.com; Issued By: IntermediateCA-1 ----END CERTIFICATE---- ---- BEGIN CERTIFICATE---- Issued To: IntermediateCA-1; Issued By: IntermediateCA-2 ----END CERTIFICATE---- ---- BEGIN CERTIFICATE---- Issued To: IntermediateCA-2; Issued By: Root-CA ----END CERTIFICATE---- ---- BEGIN CERTIFICATE---- Issued To: Root-CA; Issued By: Root-CA ----END CERTIFICATE----
To save each, copy the entire encrypted content including the beginning/ending statements into a separate text file and save it-
Root.cerwould contain: ---- BEGIN CERTIFICATE---- Issued To: Root-CA; Issued By: Root-CA ----END CERTIFICATE----
Intermediate02.cer would contain: ---- BEGIN CERTIFICATE---- Issued To: IntermediateCA-2; Issued By: Root-CA ----END CERTIFICATE----
Intermediate01.cer would contain: ---- BEGIN CERTIFICATE---- Issued To: IntermediateCA-1; Issued By: IntermediateCA-2 ----END CERTIFICATE----
Signed webserver certificate would contain: ---- BEGIN CERTIFICATE---- Issued To: webserver01.emc.com; Issued By: IntermediateCA-1 ----END CERTIFICATE----
Then, import these into the temporary keystore using the following commands:
./keytool -import -trustcacerts -alias root -keystore new.keystore -file root.cer *It should ask you if this is a trusted root certificate- say yes (y) and hit enter, then enter the keystore password