Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Advanced Search

Using Existing Set of root and intermediate CA certificates with new CA Signed Certificates?

Using Existing Set of root and intermediate CA certificates with new CA Signed Certificates?

Labels:
mkobe
Explorer

Created on ‎01-14-2020 01:50 PM - edited ‎01-14-2020 01:51 PM

I'm in the process of renewing the certificates for each node in my Hadoop cluster. I obtained a certificate file for each of my nodes. But when running the following command, I get the error

 

keytool error: java.lang.Exception: Failed to establish chain from reply”

 

Command:

 

sudo keytool -importcert -alias node1 -file node1.cer -keystore keystore.jks

 

 

From what I've gathered this happens because I didn't load the root and intermediate CA certificates into the truststore yet.

 

Looking into the truststore.jks file itself, I can see that I already have root and intermediate CA certificates that are still not expired for a long while. So they've already been loaded.

 

So is it possible to use these existing root and intermediate CA certificates while importing my new Hadoop node certificate into the keystore?

 

(Also, I've tried this command alteration but still got the same error:)

 

sudo keytool -import -alias node1 -trustcacerts -storetype jceks -file node1.cer -keystore keystore.jks

 

 

Reply
255 Views
0 Kudos
Tags (3)
2 REPLIES 2
Highlighted

Re: Using Existing Set of root and intermediate CA certificates with new CA Signed Certificates?

EricL
Guru

Created ‎01-14-2020 02:20 PM

@mkobe

Keytool is a Java program, which uses cacerts or jssecacerts as its truststore, they are under $JAVA_HOME/jre/lib/security.

Have you imported those certificates into jssecacerts?

If you do not have jssecacerts file, suggest you to copy original cacerts into new file jssecacerts and then modify jssecacerts by importing new certificates. This ensures that the original cacerts file from Java package is unchanged.

Cheers
Eric
Reply
247 Views
0 Kudos
Highlighted

Re: Using Existing Set of root and intermediate CA certificates with new CA Signed Certificates?

mkobe
Explorer

Created on ‎01-15-2020 08:14 AM - edited ‎01-15-2020 08:47 AM

@EricL 

 

After obtaining root and intermediate CA certificates, and using the following command:

 

 

sudo keytool -importcert -alias rootca -keystore cacerts -file /tmp/rootca.crt

 

 

Where cacerts is the truststore file.

 

I get the following message:

 

 

Certificate already exists in keystore under alias <...>

 

 

So rootca and intermediateca certs are already in my cacerts truststore. So why is keytool not allowing me to import the new certificate into the keystore? (note: I'm trying to import the server certificate into a different file than cacerts)

Reply
225 Views
0 Kudos
Don't have an account?
Register
Announcements
Product Announcements
[ANNOUNCE] New Cloudera JDBC 2.6.20 Driver for Apache Impala Released
Product Announcements
Transition to private repositories for CDH, HDP and HDF
Product Announcements
[ANNOUNCE] New Applied ML Research from Cloudera Fast Forward: Few-Shot Text Classification
Product Announcements
[ANNOUNCE] New JDBC 2.6.13 Driver for Apache Hive Released
Product Announcements
[ANNOUNCE] Refreshed Research from Cloudera Fast Forward: Semantic Image Search and Federated Learning
View More Announcements