Java Quick Guide

This guide contains useful Java information.

Keytool and certificates.


Operating system used
Windows XP Home Edition Version 5.1 SP 2

Software prerequisites
Java 2 Standard Edition (J2SE) SDK, version 1.4 or higher.

Example 1: How to solve error message: "untrusted server cert chain"

The situation.
A java client application "negotiates" an SSL connection with a server in order to request data from this server.
The server now has upgraded its SSL certificates from "unchained certificates" to "chained certificates".

Unchained certificates

Unchained certificates

Note: The client cacerts keystore contains the "VeriSign/RSA Secure Server CA" certificate.

Chained certificates

Chained certificates

Certificate 1 is called the root certificate.
Certificate 2 is called the intermediated certificate.

After the upgrade the java client application displays the following error message: "untrusted server cert chain".

The cause.
The java client has none of the chained certificates (1) and (2) in the Trusted root certificate list in its cacerts keystore. During "negotiation" of a SSL connection the client receives a certificate from the server which now can not be verified as being trusted.

The solution.
This problem can be solved by adding the root certificate (1) in the java client keystore.

A. First download the root certificate:
  • Launch IE (NOT Firefox), access the HTTPS site and click the secure icon.

    Note: In this example IE7 is used.

    Secure icon.

  • A box opens, click the link show certificates.

    Show certificates.

  • Go to the Certification Path on the Certificate dialog.

    Chained certificates

  • Select the root certificate (1) and click the View Certificate Button.

    View certificate

  • Select the Details tab on the new Certificate dialog which shows details of the root certificate.
    Click the Copy to File button in order to export certificate as a .cer file.

    Certificate copy to file

  • Click Next on the Certificate Export Wizard dialog.

    Certificate export wizard

  • Choose Base64 encoded X.509 (.cer) and click Next.

    Select Base64 encoded X.509

  • Enter the filename and path in order to store the certificate and then click Next.

    Export certificate

  • Click Finish.

    Export finish

  • Press OK several times to close the dialog boxes.

  • The root certificate is exported (e.g.: C:\Tools\java\jdk1.3.1_09\jre\lib\security\verisign.cer).

    Certificate saved

    Note: You can check the verisign.cer certificate by double clicking it.
B. The final step is to import the verisign.cer into the java client cacerts keystore:
  • Open a dos window and go to: C:\Tools\java\jdk1.3.1_09\jre\lib\security\

  • Type: keytool -import -alias myverisignalias -file verisign.cer -trustcacerts -keystore cacerts

    The password is: changeit
C. The error message "untrusted server cert chain"should now be disappeared.