Keytool SSL Problem

I try to request free SSL Certificate from comodo, and I received following files:

Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your Free SSL Certificate - simple-soft_info.crt

Then I import it to my keystore:

keytool -import -v -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore IsisStore.jks
keytool -import -v -trustcacerts -alias intermed-2 -file COMODORSAAddTrustCA.crt -keystore IsisStore.jks
keytool -import -v -trustcacerts -alias intermed-1 -file COMODORSADomainValidationSecureServerCA.crt -keystore IsisStore.jks
keytool -import -v -trustcacerts -alias simple-soft.info -file simple-soft_info.crt -keystore IsisStore.jks

I get “The connection was interrupted” error in browser, and I don’t have this issue if I change to a key store that contain self sign certificate (Browser shows self sign cert is not trusted only).

I check the knowledgebase and it shows following example:

keytool -import -trustcacerts -alias root -file (ROOT CERTIFICATE FILE NAME) -keystore domain.key
keytool -import -trustcacerts -alias intermed -file (INTERMEDIATE CA FILE NAME) -keystore domain.key
keytool -import -alias mydomain.com -keystore keystore.jks -trustcacerts -file mydomain.com.crt

I can’t follow this example because it only have one intermediate certificate.

Hi

Take a look at this article in the knowledge base.

https://support.comodo.com/index.php?/Knowledgebase/Article/View/299/17/some-useful-java-keytool-commands

Use the command to list all the certificates in the keystore.
Check if they are the correct ones.
If you think they are, post the list it creates in your next post.

Garry

You can follow the example because its just shows syntax. I suspect that when you generate your keystore, you didn’t give it an alias, therefore when installing your certificate in to the keystore, you need to specify the alias of “mykey” instead of “simple-soft.info”. To double-check the alias on your certificate run “keytool -v -list -keystore KEYSTORE_HERE” and look for the entry type of Private key.

Hi Guys,

Thanks for reply.

I still can not solve the problem, so I execute:

keytool.exe -list -v -keystore IsisStore.jks

Then I get:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 5 entries

Alias name: intermed-1
Creation date: Jun 11, 2014
Entry type: trustedCertEntry

Owner: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 2766ee56eb49f38eabd770a2fc84de22
Valid from: Tue May 30 18:48:38 SGT 2000 until: Sat May 30 18:48:38 SGT 2020
Certificate fingerprints:
	 MD5:  1E:DA:F9:AE:99:CE:29:20:66:7D:0E:9A:8B:3F:8C:9C
	 SHA1: F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0
	 SHA256: 4F:32:D5:DC:00:F7:15:25:0A:BC:C4:86:51:1E:37:F5:01:A8:99:DE:B3:BF:7E:A8:AD:BB:D3:AE:F1:C4:12:DA
	 Signature algorithm name: SHA384withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BB AF 7E 02 3D FA A6 F1   3C 84 8E AD EE 38 98 EC  ....=...<....8..
0010: D9 32 32 D4                                        .22.
]
]



*******************************************
*******************************************


Alias name: root
Creation date: Jun 11, 2014
Entry type: trustedCertEntry

Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 1
Valid from: Tue May 30 18:48:38 SGT 2000 until: Sat May 30 18:48:38 SGT 2020
Certificate fingerprints:
	 MD5:  1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
	 SHA1: 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
	 SHA256: 68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
[CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE]
SerialNumber: [    01]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
]



*******************************************
*******************************************


Alias name: simple-soft.info
Creation date: Jun 11, 2014
Entry type: trustedCertEntry

Owner: CN=simple-soft.info, OU=Free SSL, OU=Domain Control Validated
Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Serial number: 14db8f1f9bb5820206544597f143f3a
Valid from: Mon Jun 09 08:00:00 SGT 2014 until: Mon Sep 08 07:59:59 SGT 2014
Certificate fingerprints:
	 MD5:  10:3B:54:24:68:8F:C1:05:48:09:AD:CC:60:D0:12:38
	 SHA1: BC:18:2B:AD:3C:7B:B2:4D:12:A8:8B:C2:6A:B8:3A:55:D0:E5:0D:8C
	 SHA256: 30:D0:51:57:EC:67:43:10:E5:10:C1:14:65:A9:B6:2F:27:F0:13:64:20:CE:9D:A4:98:FD:FB:8F:D5:03:BD:12
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
, 
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.comodoca.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 90 AF 6A 3A 94 5A 0B D8   90 EA 12 56 73 DF 43 B4  ..j:.Z.....Vs.C.
0010: 3A 28 DA E7                                        :(..
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.1.3.4]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1D 68 74 74 70 73 3A   2F 2F 73 65 63 75 72 65  ..https://secure
0010: 2E 63 6F 6D 6F 64 6F 2E   6E 65 74 2F 43 50 53     .comodo.net/CPS

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: simple-soft.info
  DNSName: www.simple-soft.info
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8E 55 C6 6F 97 89 03 E2   E1 1B 6C 77 22 C8 8B E8  .U.o......lw"...
0010: DE 32 18 CF                                        .2..
]
]



*******************************************
*******************************************


Alias name: isisalias
Creation date: Jun 9, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=simple-soft.info, OU=Logistics, O=ISIS Logistics Sdn Bhd, L=Puchong, ST=Selangor, C=MY
Issuer: CN=simple-soft.info, OU=Logistics, O=ISIS Logistics Sdn Bhd, L=Puchong, ST=Selangor, C=MY
Serial number: 3334f4da
Valid from: Mon Jun 09 19:39:29 SGT 2014 until: Sun Sep 07 19:39:29 SGT 2014
Certificate fingerprints:
	 MD5:  93:F6:80:E1:14:8A:A3:3D:2C:9F:AA:A1:91:D5:9B:00
	 SHA1: AC:E1:D4:2A:90:63:CF:CF:C4:4E:07:52:26:AE:07:1C:AC:58:DB:98
	 SHA256: F7:C9:BD:64:F5:CC:AB:74:CE:D7:4F:59:7C:89:CD:8C:2B:3C:3F:42:16:91:23:B6:C1:3C:31:52:D0:4A:08:FA
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  IPAddress: 54.255.216.147
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8E 55 C6 6F 97 89 03 E2   E1 1B 6C 77 22 C8 8B E8  .U.o......lw"...
0010: DE 32 18 CF                                        .2..
]
]



*******************************************
*******************************************


Alias name: intermed-2
Creation date: Jun 11, 2014
Entry type: trustedCertEntry

Owner: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Serial number: 2b2e6eead975366c148a6edba37c8c07
Valid from: Wed Feb 12 08:00:00 SGT 2014 until: Mon Feb 12 07:59:59 SGT 2029
Certificate fingerprints:
	 MD5:  83:E1:04:65:B7:22:EF:33:FF:0B:6F:53:5E:8D:99:6B
	 SHA1: 33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39
	 SHA256: 02:AB:57:E4:E6:7A:0C:B4:8D:D2:FF:34:83:0E:8A:C4:0F:44:76:FB:08:CA:6B:E3:F5:CD:84:6F:64:68:40:F0
	 Signature algorithm name: SHA384withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.comodoca.com/COMODORSAAddTrustCA.crt
, 
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.comodoca.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BB AF 7E 02 3D FA A6 F1   3C 84 8E AD EE 38 98 EC  ....=...<....8..
0010: D9 32 32 D4                                        .22.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.comodoca.com/COMODORSACertificationAuthority.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 90 AF 6A 3A 94 5A 0B D8   90 EA 12 56 73 DF 43 B4  ..j:.Z.....Vs.C.
0010: 3A 28 DA E7                                        :(..
]
]



*******************************************
*******************************************

I set Glassfish Certificate NickName to both isisalias and simple-soft.info, and both are not working.

Alias name: isisalias Creation date: Jun 9, 2014 Entry type: PrivateKeyEntry

Import your certificate/domain certificate again, this time using the alias of ‘isisalias’.

Thanks Sal, this is really helpful, and I am able to access my webpage via https already. :azn: