How to correctly create a java keystore file from PEM files provided by a Certificate Authority?

Question

I'm trying to get a secure site running over SSL with Jetty. I've received 4 PEM files from a Certificate Authority:

• 1 Root Certificate
• 2 Intermediate Certificates
• 1 Certificate for my site

But I can't get it working. Either the site rejects requests completely or it works but doesn't recognize the certificate and the browser gives a warning. I've tried the following:

keytool -keystore keystore.jks -import -alias server -file server.crt -trustcacerts

...but this results in requests to the site being rejected immediately with Chrome saying the webpage is unavailable - no errors on the server at all. I've also tried this:

openssl pkcs12 -export -out keystore.pkcs12 -in server.crt -inkey server-private-key.pem 
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks

...and this results in the site responding to requests but still warning about the certificate not being trusted.

What do I need to do (if anything) with the root certificate and intermediate certificates. Are my attempts failing because I'm not using them? I can't find any information that pieces together what I'm missing.

Answer 1

Combine all the certificates together. Your server.crt will look like this

-----BEGIN CERTIFICATE-----
1 Certificate for my site
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
1st Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
2nd Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
1 Root Certificate
-----END CERTIFICATE-----

Use commands:

openssl pkcs12 -export -clcerts -in  server.crt -inkey server-private-key.pem -out keystore.pkcs12

keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks