I got this error with this ... unfortunate... package I have to use and I don't have source for. After much digging (thank you, Stack Overflow) and trying endless combinations, I finally got things running by:
Creating the JKS with the entire certificate chain.
Making sure the key in the JKS had the alias of the FQDN of the machine.
Renaming the alias of the certificate for my machine ${FQDN}.cert
This took endless experimentation with the java command line options:
-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
-Djava.security.debug=access:stack
My key and CSR were produced in OpenSSL so I had to import the key with:
openssl pkcs12 -export -in cert.pem -inkey cert.key -CAfile fullChain.pem -name ${FQDN} -out cert.p12
keytool -importkeystore -destkeystore cert.jks -srckeystore cert.p12 -srcstoretype PKCS12
keytool complains about the format so I converted the format followed by adding my cert chain:
keytool -importkeystore -srckeystore cert.jks -destkeystore cert_p12.jks -deststoretype pkcs12
keytool -import -trustcacerts -alias 'DigiCert Global Root G2 IntermediateCA' -keystore cert_p12.jks -file cert2.pem -storepass "$STOREPASS" -keypass "$KEYPASS"
keytool -import -trustcacerts -alias 'DigiCert Global Root G2' -keystore cert_p12.jks -file cert3.pem -storepass "$STOREPASS" -keypass "$KEYPASS"
(where cert2.pem and cert3.pem were downloaded from the DigiCert web site and converted to PEM format.)
When I restarted the application with the resulting jks
file, things started to work.
Something else I figured out as part of this. You can check the certificate chain by using:
openssl x509 -in cert2.pem -noout -text
for all your certificates and studying the output, paying attention to the X509v3 Authority Key Identifier:
and X509v3 Authority Key Identifier:
lines. The X509v3 Authority Key Identifier:
of one level matches the X509v3 Subject Key Identifier:
of the next higher level. You found the top of chain when the Issuer:
string matches the Subject:
string.
I hope this can save somebody some of the time it took me.