You need all the certificates in your certificate chain in your truststore. You can test whether they are or not with the following command:
openssl s_client -connect your.server:port -CApath /path/to/certs
A successful output of the above command might look like this:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = Some-State, O = Organization, CN = your.server
verify return:1
---
Certificate chain
0 s:C = US, ST = Some-State, O = Organization, CN = your.server
i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2055 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
---
Note the line Verification: OK
.
An unsuccessful output might look like:
CONNECTED(00000003)
depth=0 C = US, ST = Some-State, O = Some-Organization, CN = your.server
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Some-State, O = Some-Organization, CN = your.server
verify return:1
---
Certificate chain
0 s:/C=US/ST=Some-State/O=Some-Organization/CN=your.server
i:/C=US/ST=Some-State/O=Some-Organization/CN=Some-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[encoded certificate data]
-----END CERTIFICATE-----
---
No client certificate CA names sent
---
SSL handshake has read 1484 bytes and written 456 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5F4E3C1D9F5B8CD16AEF23A6EF837B396FBAE4D763C3F8F1F5B9D66407A77F0F
Session-ID-ctx:
Master-Key: E3CC7EE7BFD36FAD9BDC2C6A6A9FECB6E3EC4637D8FCC4B9A5B9A5D9E7A8BBCF3EACAE5B67B6ECEA5B633AD5E7E6C3F3
Start Time: 1594825600
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Note the line verify error:num=20:unable to get local issuer certificate
.
If your certificate(s) is/are not in the truststore, you can copy it to the truststore with the following command:
keytool -import -trustcacerts -file /path/to/myCert.crt -keystore /path/to/my-truststore.jks
The -trustcacerts
argument is important because it imports all certificates from $JAVA_HOME/lib/security/cacerts
to my-truststore.jks
.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article