Import Certificates into keystore, certificate chain is null

Question

We are currently developing a java client app, which communicates with a server via ssl-secured connection. Our design requires the server to authenticate against the client by using a trusted certificate. The certificate-chain looks like this:

<SOME CA Root certificate>
+- <SOME CA Intermediate certificate>
   +- <Our companies certificate>

Initially, we thought this to be simple: Generate an arbitrary empty keystore, import CA-root, CA-intermediate and finally our own certificate, distribute this keystore among the clients and done. To do so, we used pem-files containing the signed public key. Importing the CA-Root-Key we told the keystore to mark that as trusted.

However, every access to keystore.getCertificateChain returns null.

We have checked via keytool and KeyStoreExplorer that all certificates are available in the keystore as expected (they are) and also, that the key-identifiers of respective subject and authority-key match (they do). We also made sure that the imports where done in the correct order: first CA, then intermediate, then our companies certificate.

We went to our own companies website (where firefox says, the certificate is good) and downloaded the whole certificate chain (as pem) from there to rule out, that the original pem-files are corrupt, yet nothing changes.

Where did we go wrong? Do we have to explicitly set the certificate-chain? How can we get details, which step within getCertificateChain is failing?

Answer 1

You need to import the root certificate of the chain as a trusted CA certificate. Not the whole chain. And KeyStore.getCertificateChain() only applies to private key entries, which this isn't.