Keytool unable to chain imported PCKS12 certificate?

Question

I have Mountain Lion Server and an SSL certificate signed by Go Daddy. I have various services using the certificate successfully which is verified using several online SSL checker tools.

I have recently set up Jira which runs under Tomcat so I need to use those same certificates imported into the keystore.

I noticed that the root Go Daddy cert wasn't in /Library/Java/Home/lib/security/cacerts, so I imported it as a trusted cert along with the intermediate certificate.

In order for tomcat to use HTTPS I had to import my certificate with the private key. I was able to do this using the Keychain Access utility to export it as a .p12 file. I could then import the certificate it into the keystore with the private key. All seemed to go well - except that the SSL checker tools reported a broken chain of trust. I used keytool to dump the certificates info and it did indeed show that there was only 1 certificate in the chain rather than the 3 I expected.

No method of importing the certificate appears to resolve the chain of trust.

What am I missing???

Answer 1

There is a difference between having the key incorporate the whole cert-chain, or having the key plus one or more certificates in your keystore.

You may use openssl to create a key that incorporates the whole cert-chain, e.g.:

openssl pkcs12 -in <key in .pem-format> -export -out tmp-keystore.p12 -certfile <one file with several cert-blocks>