Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2009-12-14 14:28:18.0

TN 7869 - Installing the Entrust certificate with the 2048 chain certificate using Keytool to resolve the basic constraints issue

Problem:

The server requires a certificate from CA that has the Basic Constraint field.

Cause:

The entrust.net Certification Authority (2048) does not contain the Basic Constraint field.

Solution:

To resolve this issue, replace the 2048 root with a 2048 chain certificate that chains the certification path back to the Entrust Secure Server Certification Root. This root contains the Basic Constraint field.

The original certification path of the certificates signed by the L1C is:

Web certificate -> L1C -> entrust.net certification authority (2048)

To change the certification path to the Entrust Secure Server Certification Authority (1024),  replace the 2048 root with a 2048 chain that is signed back to the 1024. This changes the path to:

Web certificate -> L1C -> 2048 chain -> entrust secure server certification authority

Note: To change the certification path using the 2048 chain, you must remove the 2048 root.

To remove the 2048 root

1. Enter the following command:

Keytool -list

keytool -delete -alias <2048 alias> -keystore <your_keystore_filename>

 

2048 Root:

Issued to: Entrust.net Certification Authority (2048)

Issued by: Entrust.net Certification Authority (2048)

Serial: 38 63 B9 66

 

Once you remove the 2048 root, install the L1C chain certificate.

Note: This assumes the 1024 root is already installed.

To install the L1C chain certificate 

1. Enter the following command:

keytool -import -alias Entrust_L1C -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_L1C>

Entrust Certification Authority - L1C:

Issued to: Entrust Certification Authority - L1C

Issued by: Entrust.net Certification Authority (2048)

Serial: 38 63 C5 AE

Download link: https://www.entrust.net/downloads/root_index.cfm

-----BEGIN CERTIFICATE-----
MIIE8jCCA9qgAwIBAgIEOGPp/DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw0wOTEyMTAyMDQzNTRaFw0xOTEy
MTAyMTEzNTRaMIGxMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5j
LjE5MDcGA1UECxMwd3d3LmVudHJ1c3QubmV0L3JwYSBpcyBpbmNvcnBvcmF0ZWQg
YnkgcmVmZXJlbmNlMR8wHQYDVQQLExYoYykgMjAwOSBFbnRydXN0LCBJbmMuMS4w
LAYDVQQDEyVFbnRydXN0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gTDFDMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6MtPJ7eBdoTwhGNnY7jf8dL
flqfs/9iq3PIKGu6EGSChxPNVxj/KM7A5g4GkVApg9Hywyrb2NtOBMwA64u2lty8
qvpSdwTB2xnkrpz9PIsD7028GgNl+cGxP3KG8jiqGa4QiHgo2nXDPQKCApy5wWV3
diRMmPdtMTj72/7bNwJ2oRiXpszeIAlJNiRpQvbkN2LxWW2pPO00nKOO29w61/cK
b+8u2NWTWnrtCElo4kHjWpDBhlX8UUOd4LLEZ7TLMjEl8FSfS9Fv29Td/K9ebHiQ
ld7KOki5eTybGdZ1BaD5iNfB6KUJ5BoV3IcjqrJ1jGMlh9j4PabCzGb/pWZoVQID
AQABo4IBCzCCAQcwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wMwYI
KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5l
dDAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmVudHJ1c3QubmV0LzIwNDhj
YS5jcmwwOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93
d3cuZW50cnVzdC5uZXQvcnBhMB0GA1UdDgQWBBQe8auJBvhJDwEzd+4Ueu4ZfJMo
TTAfBgNVHSMEGDAWgBRV5IHREYC+2Im5CKMx+aEkCRa5cDANBgkqhkiG9w0BAQUF
AAOCAQEAB/ZfgoR/gEDHkDRGQiQDzi+ruoOeJXMN7awFacaH7aNc8lfBsUl2mk3y
P93kDv4LPrmY2TKVHTL0Ae6cyMjlP+BTdmL83attPZSQ8sCzPJgnNl4olyL8G0DT
Kw2ttVdt3w/jS+9zAhBl+hvQrDHV4w/oujIwg+5K0L/fIpB6vuw6G8RJBB3xroB3
PEII26c7KKaAAQPmOaPr34BZG/MsvtxyRHmgbAelbU1EjkJoypR8Lja6hZ7NqsRe
PFS+/i/qaZ0cHimbltjI/lGQ8SSmkAaz8Cmi/3gud1xFIdlEADHzvjJP9QoyDfz8
uhZ2VrLWSJLyi6Y+t6xcaeoLP2ZFuQ==
-----END CERTIFICATE-----

 

Once you install the L1C chain certificate, install the 2048 chain.

To install the 2048 chain

1. Enter the following command:

keytool -import -alias Entrust_2048_chain -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_2048chain>

 

2048 Chain:

Issued to: Entrust.net Certification Authority (2048)

Issued by: Entrust.net Secure Server Certification Authority

Serial: 46 9E 91 1A

Download link: https://www.entrust.net/downloads/binary/entrust_2048_ssl.cer

 

Once the correct certification path is created, install your certificate as normal.

To install your certificate 

1. Enter the following command:

keytool -import -alias <alias of request> -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_webcert>

 

Note: It is recommended that you install the chain certificate under separate aliases and the certificate alone under its own alias, as described, so that when the time comes to renew your certificate the only step needed is to install the new certificate. The chain certificates will remain valid within the keystore.

Affected Products:

• Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable