keytool
insists on storing full certificate chain when importing certificate into the keystore, therefore it is sometimes necessary to import a CA root into the certificate keystore
(not only into the truststore
).
After importing certficate for the key, all additional certificates (intermediary CAs, root CAs, etc.) should be deleted from the keystore
using “keytool -delete
”, otherwise a “Supplied key (null) is not a RSAPrivateKey instance
” exception will be displayed in the Server Certificates screen.
Exception itself can be fixed easily:
Index: src/web/ssl-certificates.jsp
===================================================================
--- src/web/ssl-certificates.jsp (wersja 12902)
+++ src/web/ssl-certificates.jsp (kopia robocza)
@@ -348,7 +348,9 @@
if (isSigningPending) {
// Generate new signing request for certificate
PrivateKey privKey = (PrivateKey) keyStore.getKey(a, SSLConfig.getKeyPassword().toCharArray());
- signingRequests.put(a, CertificateManager.createSigningRequest(c, privKey));
+ if (privKey != null) {
+ signingRequests.put(a, CertificateManager.createSigningRequest(c, privKey));
+ }
}
%> <tr valign="top">
Probably a whole logic of this look needs some review; those certificates without private keys are now displayed as Pending Verification
items.