This can be done in a number of ways. One common way is to simply but the jks in its environment and see if it works. This is however a little late for my taste. I like to check it BEFORE i put it into a running environment. I will here show 2 ways to check a certificate chain:
- Manually check the cert using keytool
- Check the chain using openSSL
1. Lets start with the manual check:
keytool -list -v -keystore my.certificate.chain.jks | grep -A 1 "Owner"
This command will list all certifications (and keys) Owner (CN) and Issuer (CN) something like this:
- Owner: CN=app.tankmin.se, OU=Secure Link SSL, OU=Tankmin…
Issuer: CN=Network Solutions OV Server CA 2, O=Network Solutions L.L.C…. - Owner: CN=Network Solutions OV Server CA 2, O=Network Solutions L.L.C….
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network… - Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network…
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network… - Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network…
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network…
I have here rearrange them with my application certificate at the top and the root CA certification at the bottom. I have also given every entry a number to easier be able to explain the logic behind the chain.
From here it is pretty simple to see that:
- Issuer of my application certificate (no. 1) is Network Solutions OV Server CA 2 and
- Issuer of that certificate (no. 2) is USERTrust RSA Certification Authority, and
- Issuer of that certificate (no. 3) is AddTrust External CA Root which is the root CA (no. 4)
Since all certificates are linked together down to the root CA the chain is complete. Note: The root CA certificate will always be self-signed
2. And now, if you do not want to do all the above you can use openSSL to verify your application certificate with the following command:
openssl verify -CAfile root.pem -untrusted intermediate.pem application.pem
-CAFile is the root certificate -untrusted is the intermidiate (if any) certificates application.pem is your application certificate
The openSSL command above will check the chain to your application certificate and give you a:
application.pem: OK
if all is good
Tested on OpenSSL 1.0.2o 27 Mar 2018 and Java 1.8.0_121
You didn’t explain that the certificates must be extracted from the .jks in order to verify the chain if you only have the .jks file.
where mykey is replaced with the alias for the certificate to export.
You are so right. For the second solution with OpenSSL, you need to extract the certificates. Thank you for pointing that out!