LetsEncrypt CAFile for pkcs12 format

you may get “Error unable to get local issuer certificate getting chain.” while creating a keystore in the pkcs12 with Letsencrypt certificate.  You need to create CAFile to fix this issue.

install openjdk-8-jre for keytool, if you do not have keytool command on Linux

# sudo apt-get install openjdk-8-jre

To create CAFile, download  and merge root and intermediate certificate of Letsencrypt at https://letsencrypt.org/certs

# wget https://letsencrypt.org/certs/isrgrootx1.pem.txt  #

# wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt

# cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt > letsencryptCA.pem

# openssl pkcs12 -export -in domain.crt -inkey domain.key -chain -CAfile letsencryptCA.pem -name “mycert” -out myapp.p12

# keytool -importkeystore -deststorepass myapppass -destkeystore myapp.keystore -srckeystore myapp.p12 -srcstoretype PKCS12

Verify the keystore;

# keytool -list -v -keystore myapp.keystore -storepass myapppass

Now you can use this keystore on Tomcat/Jboss

ismail yenigul

LetsEncrypt CAFile for pkcs12 format

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s