openssl p12 generation failing with CA bundle chain option
I found (the|a) solution to this problem on this blog post. From the post:
After a bit of testing, I found that you need to make a new CAfile to be used, that combines the cacerts file from the openssl distribution and the intermediate.crt file...
...which is:
cat your-server-bundle /etc/ssl/certs/ca-certificates.crt > allcacerts.crt
...then use allcacerts.crt
(or whatever you call it) as the parameter to the -CAfile
option in the openssl command.
Related videos on Youtube
RTF
Updated on September 18, 2022Comments
-
RTF over 1 year
I'm trying to install an SSL certificate for a Java servlet framework. I have 3 files: the private key (PEM), certificate file (PEM) and CA bundle (PEM). When I run:
openssl pkcs12 -export -in server.crt -inkey server.key -certfile server.crt -out server.p12 -CAfile server.ca-bundle -chain
...in order to get the
p12
file that I can use to create the Java keystore, it fails with the following error:Error unable to get issuer certificate getting chain.
Elsewhere, I have successfully setup 2 apache servers using the same key, certificate and CA bundle files and there are no problems. Why might I be getting this error?