Page 1 of 1

Java Certificate Chain

PostPosted: Thu Jun 18, 2020 12:15 pm
by Bernd.N
Our keystore has four certificates in a chain, from which two were expired.
I managed now to add two new certificates (ROOT and INTERMEDIATE), and they show both green now (see screenshots).

Was it correct to also delete the two old certificates (which have the red dot in the E column in the second screenshot), or do they have to stay in the keystore file?
I deleted them.

CodeSigner at least states "Chain verification: OK".

Re: Java Certificate Chain

PostPosted: Tue Jun 23, 2020 9:23 pm
by sbutler
Mine looked a bit different than yours. I had just 1 entry shown in Keystore Explorer, and I was able to modify the chain to get it working. Maybe this helps.
what I did to get ours working....
- Download their AAA backward compatible certs
- When inspecting the certificate, I see there are 4 certs in the chain. The top 2 were expired.
- I right clicked on the certificate and chose Edit Certificate Chain->Remove certificate. I did that twice, and that removed the top 2.
- Then right click on the certificate again, and choose Edit Certificate Chain->Append certificate. I kept doing that trying all the the AAA certs until 2 of them got in.
- Then when inspecting the cert, i saw there were again 4 certs in the chain, but now they were all valid and not expired.

Of course, before doing all of this, make sure you have a backup of your keystore in case you hose things.

Sounds like you did something similar. The key is to right click on your certificate (the one with the golden colored key icon on the left) and inspect it to make sure its chain is valid.