Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2009-10-08 13:15:20.0

TN 7869 - Installing the Entrust certificate with the 2048 chain certificate using Keytool to resolve the basic constraints issue

Installing the Entrust certificate with the 2048 chain certificate using Keytool

 

Issue: Server requires a certificate from CA that has the basic constraint field

Solution: The entrust.net Certification Authority (2048) does not contain the basic constraint field. To resolve this issue we must replace the 2048 root with a 2048 chain certificate that will chain the certification path back to the Entrust Secure Server Certification Root that contains the basic constraint.


The original certification path of the certificates signed by the L1B is:

 

Web certificate -> L1b -> entrust.net certification authority (2048)

 

To change the certification path to the Entrust Secure Server Certification Authority (1024) we will replace the 2048 root with a 2048 chain that is signed back to the 1024. This will change the path to:

 

Web certificate -> L1b -> 2048 chain -> entrust secure server certification authority

 

Please note – to change the certification path using the 2048 chain you must remove the 2048 root.

 

You May find the following commands useful for this:

Keytool -list

keytool -delete -alias <2048 alias> -keystore <your_keystore_filename>

 

2048 Root:

Issued to: Entrust.net Certification Authority (2048)

Issued by: Entrust.net Certification Authority (2048)

Serial: 38 63 B9 66

 

Now that you have removed the 2048 root you can install the L1B chain cert. This is assuming that the 1024 root is already installed.

 

 

 

Use the command line:

keytool -import -alias Entrust_L1B -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_L1B>

 

Entrust Certification Authority - L1B:

Issued to: Entrust Certification Authority - L1B

Issued by: Entrust.net Certification Authority (2048)

Serial: 38 63 C5 AE

Download link: https://www.entrust.net/downloads/binary/entrust_l1b.cer

 

Then install the 2048 chain:

keytool -import -alias Entrust_2048_chain -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_2048chain>

 

2048 Chain:

Issued to: Entrust.net Certification Authority (2048)

Issued by: Entrust.net Secure Server Certification Authority

Serial: 46 9E 91 1A

Download link: https://www.entrust.net/downloads/binary/entrust_2048_ssl.cer

 

Now that the correct certification path is created, install your certificate as normal:

 

keytool -import -alias <alias of request> -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_webcert>

 

Please Note - It is recommended that you install the chain certificate under separate alias’s and the certificate alone under it’s own alias, as described, so that when the time comes to renew your certificate the only step needed is to install the new certificate. The chain certificates will remain valid within the keystore.

Affected Products:

• Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable