Entrust Certificate Services Support Knowledge Base

Audience: Intermediate
Last Modified: 2007-01-19 14:23:19.0

TN 7044 - How do I install an Entrust EV SSL certificate using java Keytool ?

Problem:

Your Entrust EV SSL certificate will not import into your JKS keystore without the required CA chain certificates.

Solution:

To proceed with installing your EV SSL and  Entrust Chain Certificates:



When installing an Entrust SSL certificate, you must also install the Entrust chaining certificates at the same time. Please review the below steps for your version of Sun Java.

 

SUN JAVA 1.4.1 or lower

SSL Certificate and Chain Certificate Installation


When installing an Entrust SSL certificate, you must also install the Entrust chaining certificates

at the same time. Please review the below steps for your version of Sun Java.

Important:
! Please use the SAME alias when creating your CSR and installing your certificate that you use to create your self-signed keystore.


keytool -import -alias root -keystore \ -trustcacerts -file

As an example: C:\>keytool -import -alias myalias -keystore c:\.mykeystore -trustcacerts -file

c:\webcert.txt

Since Java looks at your "cacerts" file for trusted root CAs, the Entrust.net Secure Server CA root is not present in Java 1.4.x. or below.
You do not need to import the root into "cacerts" directly.
This combined root and Entrust SSL Certificate file must include the Entrust.net Secure Server CA (1024) root first, then the 2048 Entrust Chain signed by the Entrust.net Secure Server CA root, then the L1A Chain certificate, then the Entrust SSL certificate.

As an example  webcert.txt will contain all CA certificates that are required to complete the certificate path.

Below is the order of certificates.

Certificate 1: Entrust.net Secure Server CA root (1024)
Certificate 2: Entrust Root Certification Authority (2048)
Certificate 3: Entrust Certification Authority - L1A
Certificate 4: Your Entrust SSL certificate


-----BEGIN CERTIFICATE-----
MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEmzCCBASgAwIBAgIEQoctTDANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzAx
MDUxOTIwMzlaFw0xNzAxMDUxOTUwMzlaMIGwMQswCQYDVQQGEwJVUzEWMBQGA1UE
ChMNRW50cnVzdCwgSW5jLjE5MDcGA1UECxMwd3d3LmVudHJ1c3QubmV0L0NQUyBp
cyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlMR8wHQYDVQQLExYoYykgMjAwNiBF
bnRydXN0LCBJbmMuMS0wKwYDVQQDEyRFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2lbZD
QvrGbSpvSN+UTDlXBe7DeRFBaDbt7P6aAY+hOCj89xBGZi5NHhqxGk7G0cCViLDJ
/zGLMwPbt4N7PiCEXu2yViin+OC5QHE3xctHDpcqaMAilWIV20fZ9dAr/4JLya0+
3kzbkIBQPwmKhADsMAo9GM37/SpZmiOVFyxFnh9uQ3ltDFyY/kinxSNHXF79buce
tPZoRdGGg1uiio2x4ymA/iVxiK2+vI+sUpZLqlGN5BMxGehOTZ/brLNq1bw5VHHK
enp/kN19HYDZgbtZJsIR/uaT4veA5GX7NDcOKYBwTa84hi6ef1evnheu6xzLKCFf
thzY56IEIvnT2tjLAgMBAAGjggEnMIIBIzAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
AQH/BAUwAwEB/zAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9v
Y3NwLmVudHJ1c3QubmV0MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50
cnVzdC5uZXQvc2VydmVyMS5jcmwwOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYB
BQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvQ1BTMB0GA1UdDgQWBBRokORn
pKZTgMeGZqTx90tD+4S9bTAfBgNVHSMEGDAWgBTwF2ITVT2z/woAa/tQhJfz7WLQ
GjAZBgkqhkiG9n0HQQAEDDAKGwRWNy4xAwIAgTANBgkqhkiG9w0BAQUFAAOBgQAM
sIR8LRP+mj2/GAWVPSBIoxaBhxVQFaSIjZ9g1Dpv6y1uOoakqdLBnYl6CBykLbNH
jg9kSm9mA4M/TzSUNqopbYuNAiIrjM13pXCVhpHRtr9SvjNqa5n5b+ESvgTLM7/1
EhpORLpbFk0wufO0dM5u8mhWWN3Yof1UBfQjkYXJ+Q==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFjjCCBHagAwIBAgIERWtQzTANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MDEwNTE4MjcxNFoXDTE3MDEwNTE4
NTcxNFowggE0MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE4
MDYGA1UECxMvQU5EIEFERElUSU9OQUwgVEVSTVMgR09WRVJOSU5HIFVTRSBBTkQg
UkVMSUFOQ0UxRzBFBgNVBAsTPkNQUyBDT05UQUlOUyBJTVBPUlRBTlQgTElNSVRB
VElPTlMgT0YgV0FSUkFOVElFUyBBTkQgTElBQklMSVRZMTkwNwYDVQQLEzB3d3cu
ZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVuY2UxHzAd
BgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLjAsBgNVBAMTJUVudHJ1c3Qg
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBMMUEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDGRXpU6aql+KQv+Jo800ZMXsLRDTgT/E3snIWwcSv6KD3J
qkto8Rd972Pyo6xcSP1Ln2MKPuLLmNFtEpcfzK0Njsl2wemfuxeEbkfyy3N+sxUD
QBOoC98WqkHIUNxN7CGTnL+QV8ZZ+XKPp7Qi81CbkvhbZ0vlosJ8EMzNxdh73wOv
3lJJ0LabQvMg3/ZgfSjB6uct6d5lj5id/NryvN8USarH0KI8UG1S7iVl7GgUmAxh
ko7gN4Mf9yXVO7mWcX450/e8CET5D+d3jxipC1zrjLv25YnNicREoP1P/mlfGRMP
BD/3s2shdRMuVwOhBhstvMiXfuzOTNwXgFFIRo3lAgMBAAGjggEnMIIBIzAOBgNV
HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAzBggrBgEFBQcBAQQnMCUwIwYI
KwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGA1UdHwQsMCowKKAm
oCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvcm9vdGNhMS5jcmwwOwYDVR0gBDQw
MjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQv
Q1BTMB0GA1UdDgQWBBR+t/xMJuawevtU4jxFc8ZDkF4oBDAfBgNVHSMEGDAWgBRo
kORnpKZTgMeGZqTx90tD+4S9bTAZBgkqhkiG9n0HQQAEDDAKGwRWNy4xAwIAgTAN
BgkqhkiG9w0BAQUFAAOCAQEALgFiTnpwN6I8YX/wQeMDrmbruMoITR8C9y3smSbn
m6df3SPGSuP6wfhp7azE7NtWuGv6hpmJCxmhWFPbWkNy64OdeLad23+8SVy4SW/D
W3PJsw8p/vadXxV50dAMHPrlNPq3lxJDombV+VczeJ61AG3W10SRiuavga31BtaB
JbNioHorzffkKijAZN439AvxJNeoZj1UQ6cb1bjAJ/x5RcTWvk7aPVW9RamtTAZ1
kL4YHOzlaxlOjk4v4HlxQyv3NLEO3+u8qS4ehcQr3Oke4/icg3UsYptLwvCARpdp
VunwO1f+RgS+KY9/d11Po2WUcAYLOfC2/oadzFrgEAFNNA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGjDCCBXSgAwIBAgIERW8rYzANBgkqhkiG9w0BAQUFADCCATQxCzAJBgNV
BAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTgwNgYDVQQLEy9BTkQg
QURESVRJT05BTCBURVJNUyBHT1ZFUk5JTkcgVVNFIEFORCBSRUxJQU5DRTFH
MEUGA1UECxM+Q1BTIENPTlRBSU5TIElNUE9SVEFOVCBMSU1JVEFUSU9OUyBP
RiBXQVJSQU5USUVTIEFORCBMSUFCSUxJVFkxOTA3BgNVBAsTMHd3dy5lbnRy
dXN0Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0G
A1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVz
dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQTAeFw0wNzAxMTkxNjAx
MDNaFw0wODAxMTkxNjIxMTVaMIHJMQswCQYDVQQGEwJDQTEQMA4GA1UECBMH
T250YXJpbzEPMA0GA1UEBxMGT3R0YXdhMRMwEQYLKwYBBAGCNzwCAQMTAkNB
MRMwEQYLKwYBBAGCNzwCAQITAk9OMRcwFQYLKwYBBAGCNzwCAQETBk90dGF3
YTEWMBQGA1UEChMNVGVzdCBEaXNhbGxvdzELMAkGA1UECxMCRVYxLzAMBgNV
BAUTBTAwMDAwMB8GA1UEAxMYd3d3LnRlc3RjZXJ0aWZpY2F0ZXMuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiUp+3UID2rDdQET3XJFegXA92
ts44tlr+Fle9dDMUk+c0N5/xxvcTbWoBq8MqXP+wigKQCB+fY5sm7zh0YwV2
BFuUCZqjBtP8d8wpjG07DyY8x6lAOZ/lG6f4OgQEZ1Veu16lgtNjikNEcNMM
6wZDUryH0AeYGaj2EssBy0rRq6TF2PRNZOHyu6Y2EaHwnSsJIIv5ZxpR1dQn
KFk0hzNDUuch27Lc5drEtS8YRamKMzh3+SEhaaIdBEpbX16KatBlb19RjO8J
662dRGPiN4Iq3PA1KX9j
-----END CERTIFICATE-----

You will need to accept the trusted CA.

 

Enter keystore password:  password

Top-level certificate in reply:

Owner: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust
.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.n
et, C=US
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrus
t.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.
net, C=US
Serial number: 374ad243
Valid from: Tue May 25 12:09:40 EDT 1999 until: Sat May 25 12:39:40 EDT 2019
Certificate fingerprints:
         MD5:  DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
         SHA1: 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39

... is not trusted. Install reply anyway? [no]:  yes
Certificate reply was installed in keystore

 

SUN JAVA 1.4.2 or higher

SSL Certificate and Chain Certificate Installation


When installing an Entrust SSL certificate, you must also install the Entrust chaining certificates at the same time. Please review the below steps for your version of Sun Java. 

Install using the same commands above however, since Certificate 1: Entrust.net Secure Server Root CA is bundled with 'cacerts' for this version of Java, you can exclude CA Certificate 1, as shown in above example to install the Entrust SSL Certificate. 

The results below are to be expected on a Windows O/S. The confirmation output may vary on a Unix system.


Important:
! Please use the SAME alias when creating your CSR and installing your certificate that you use to create your self-signed keystore.


C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN>keytool -import -alias ralias -keystore c:\15keystore

-trustcacerts -file c:\webcert.txt

Enter keystore password:  password
Certificate reply was installed in keystore

You have just installed your Entrust SSL Certificate, along with the chains to complete the certificate path.

 

Affected Products:

  • Entrust Certificate Services Certificate Administrator EV SSL - 1 Year Version Not Applicable Language Not Applicable Windows
  • Entrust Certificate Services Certificate Administrator EV SSL - 2 Year Version Not Applicable Language Not Applicable Windows
  • Entrust Certificate Services EV SSL - 1 Year Version Not Applicable English Windows
  • Entrust Certificate Services EV SSL - 2 Year Version Not Applicable English Windows