Certificate Chaining

If you are required to install a new certificate (say for example cacerts) then you will potentially need to chain the certificates.

Don’t be phased by this, the concept is relatively straightforward….

When chaining certificates your starting point will be the new certificate you’ve been provided with, inspect the cert with the following command and note the subject and the issuer lines

openssl x509 −in .crt −noout −text
Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/rpa is incorporated by reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority  L1C
Subject: C=GB, L=Wales, O=MY Group, OU=IT&T, CN=my.url.com

To build the chain you need to obtain the next certificate (ie Issuer) and repeat this process until you reach the root certificate, you know when you’ve reached the root certificate because the subject and the issuer will have the same details ie. a self signed certificate like below:

Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority

For this example I have my new certificate and 3 other pem files that complete the chain, to link all these certificates ready for importing into the cacerts file use the following command, this will build the chain and output a p7b file all in one line:

openssl crl2pkcs7 −nocrl −certfile newcert2013.cer −out certificate.p7b −certfile cert2.pem −certfile cert3.pem −certfile cert4.pem

Next you’ll need to import the newly created p7b file into the cacerts file, this is done like so (obviously you’ll need the cacerts password!):

keytool import −alias my.new.cert −file certificate.p7b −keystore cacerts

And that’s all there is to it!!!