VeriSign Intermediate certs and Keytool

I'm having some problems getting my VeriSign Secure Site pro
certificate to work.  I'm hoping that someone here can help since
VeriSign is useless.  My web site stopped working on or around Jan
7th.  A quick look at the VeriSign web site pointed me in the
direction of the intermediate certificate.  Using keytool I confirmed
that a certificate in my chain expired.  The result of a keytool –list
–v looked something like this:

Alias name: mykey
…
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
…
Certificate[2]:
…
Certificate[3]:  #This is the expired cert
Owner: OU=Class 3 Public Primary certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 3 Public Primary certification Authority,
O="VeriSign, Inc.", C=US
Serial number: e49efdf33ae80ecfa5113e19a4240232
Valid from: Sun Jan 28 16:00:00 PST 1996 until: Wed Jan 07 15:59:59
PST 2004
Certificate fingerprints:
MD5:   78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8
E:9C:5D
SHA1:  4F:65:56:63:36:DB:65:98:58:1D:58:4A:59:6
C:87:93:4D:5F:2A:B4

So I generated a new keystore and then a CSR.

I copied the intermediate cert from
https://www.verisign.com/support/in...termediate.html and added
it to my keystore using the following command:

keytool -keystore keystore -keyalg RSA -import -trustcacerts -alias
cacert -file verisign_inter.cer

It imported like a champ!

When I got my cert back from VeriSign and imported it, the cert chain
looked exactly as before, except then new VeriSign cert was chained to
the expired root.  Everything I read said that this would not happen.
I though I would get an error from keytool.

Then I deleted all the expired VeriSign certs out of cacerts.  I
imported the intermediate cert from VeriSign to CAcerts and generated
a new keystore, and CSR.  When I imported the certificate from
VeriSign, the cert didn't chain to any root.  I also tried importing
the intermediate to the same keystore as the purchased cert.  I'm not
sure what to do next.  Does anyone have any experience with certs that
won't chain or replacing intermediate certs?  Any help would be
appreciated.

Each cert holds the unique id of the cert that signed it and that id is
part of the signed data so it cannot be changed.   If the chained cert
expired then simply replacing it in the keystore with another cert of the sa
me name (not
the same id) will not chain it again.   You have no choice but to get
another cert.

Verisign put an advisory out about this (their cert expiring before your
cert does, which should not be allowed)

Sorry kind find the link.

Justin



On Wed, 11 Feb 2004 12:46:02 -0800, TonyShirt wrote:

> I'm having some problems getting my VeriSign Secure Site pro
> certificate to work.  I'm hoping that someone here can help since
> VeriSign is useless.  My web site stopped working on or around Jan
> 7th.  A quick look at the VeriSign web site pointed me in the
> direction of the intermediate certificate.  Using keytool I confirmed
> that a certificate in my chain expired.  The result of a keytool –list
> –v looked something like this:
>
> Alias name: mykey
> …
> Entry type: keyEntry
> Certificate chain length: 3
> Certificate[1]:
> …
> Certificate[2]:
> …
> Certificate[3]:  #This is the expired cert
> Owner: OU=Class 3 Public Primary certification Authority, O="VeriSign,
> Inc.", C=US
> Issuer: OU=Class 3 Public Primary certification Authority,
> O="VeriSign, Inc.", C=US
> Serial number: e49efdf33ae80ecfa5113e19a4240232
> Valid from: Sun Jan 28 16:00:00 PST 1996 until: Wed Jan 07 15:59:59
> PST 2004
> Certificate fingerprints:
> 	 MD5:   78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8
E:9C:5D
> 	 SHA1:  4F:65:56:63:36:DB:65:98:58:1D:58:4A:59:6
C:87:93:4D:5F:2A:B4
>
> So I generated a new keystore and then a CSR.
>
> I copied the intermediate cert from
> https://www.verisign.com/support/in...termediate.html and added
> it to my keystore using the following command:
>
> keytool -keystore keystore -keyalg RSA -import -trustcacerts -alias
> cacert -file verisign_inter.cer
>
> It imported like a champ!
>
> When I got my cert back from VeriSign and imported it, the cert chain
> looked exactly as before, except then new VeriSign cert was chained to
> the expired root.  Everything I read said that this would not happen.
> I though I would get an error from keytool.
>
> Then I deleted all the expired VeriSign certs out of cacerts.  I
> imported the intermediate cert from VeriSign to CAcerts and generated
> a new keystore, and CSR.  When I imported the certificate from
> VeriSign, the cert didn't chain to any root.  I also tried importing
> the intermediate to the same keystore as the purchased cert.  I'm not
> sure what to do next.  Does anyone have any experience with certs that
> won't chain or replacing intermediate certs?  Any help would be
> appreciated.

Rather than trying to patch up your cacerts file, I would recommend download
ing and installing a recent jdk/jre, which will contain a current cacerts fi
le. Then re-import you new Versign certificate into your keystore - you shou
ld find that it chains to t
he current CA cert.

Actually, now that I think about it, I expect your certificate was signed by
 Verisign using the CA cert which has now expired - this means my earlier ad
vice won't help. You will still need to do that (get a current Java environm
ent), but you will also nee
d a new certificate.

Verisign did you a dis-service if they signed your certificate using a CA th
at was set to expire before your certificate expiration date. You should poi
nt this out to them and try to get them to waive the replacement fee, which 
is what they will try to ch
arge you.

"unixisbetter" <noAddress@available.com> wrote in message news:<0457187356a50b7c3d40f469bc7
bd640@localhost.talkaboutprogramming.com>...
> Actually, now that I think about it, I expect your certificate was signed by Veris
ign using the CA cert which has now expired - this means my earlier advice won't hel
p. You will still need to do that (get a current Java environment), but you will als
o n
eed a new certificate.
>
> Verisign did you a dis-service if they signed your certificate using a CA that was
 set to expire before your certificate expiration date. You should point this out to
 them and try to get them to waive the replacement fee, which is what they will try 
to
charge you.

Think the bigger disservice is that they refuse to support keytool and
other java based application servers. I'm totallly on my own when it
comes to these certs.  If I had a choice I would use someone else.

Here's what I did.  I'm concerned that upgrading the whole JRE on the
server will cause havoc on my application.  I've tried upgrading in
the past and it causes problems in the application.  No matter what
sun says, they have a backward compatibility problem.  In any case, I
downloaded the new JRE and replaced the old server cacerts file with
the new cacerts from the new JRE.  I think its 1.4.2_02.  The original
is 1.4.0_01.  It still won't chain.  Do I need any other files to get
keytool to chain properly?  Also if I change the cacerts file on the
server, do I need my clients to change the same file on there local
machine?

"unixisbetter" <noAddress@available.com> wrote in message news:<0457187356a50b7c3d40f469bc7
bd640@localhost.talkaboutprogramming.com>...
> Actually, now that I think about it, I expect your certificate was signed by Veris
ign using the CA cert which has now expired - this means my earlier advice won't hel
p. You will still need to do that (get a current Java environment), but you will als
o n
eed a new certificate.
>
> Verisign did you a dis-service if they signed your certificate using a CA that was
 set to expire before your certificate expiration date. You should point this out to
 them and try to get them to waive the replacement fee, which is what they will try 
to
charge you.


I don't think I mentioned this in the last post.  I got a new cert
from VeriSign, My old one was up for renewal a month later.  So to
recap, I added the cacerts file from the 1.4.2_02 JRE to my original
installation (1.4.0_01).  I generated a new keystore, and cert
request.  Got it signed by VeriSign, imported it, and it did NOT
chain.  Any guesses what to do next?

TonyShirt <tonyshirt@hotmail.com> wrote:
>I'm having some problems getting my VeriSign Secure Site pro
>certificate to work.

Join the club.  Did they charge you $1,200 for a chained cert?  Did they
advertise an expiration date that forgot about the ca expiring?  Did you
have to wait two ws to receive it?

God knows why people don't shop around even a little.  You can get a
better cert, compatible with more browsers, not chained, ca won't expire
before the cert, with same day delivery, for $160 at Geotrust.

>I'm hoping that someone here can help since
>VeriSign is useless.

At least you recognize the problem.  Verislime has been a complete rip-off
for many years now.  If you purchase another cert from them you're part
of the problem.

Rafael

> ... Any guesses what to do next?

Yes. Why don't you try to see if a new JRE solves
the problem?

If it does, you know your way of mixing JREs and PKI chains
is broken.

If it doesn't, you have a complete test case to forward
to Sun, VeriSign, newsgroups, whatever.

That'd save time.

-Hans