Namecheap positive ssl chain / java keystore
Recently I've spent some time importing the Namecheap.com Positive SSL certificate chain into a java keystore, so I'm documenting it here as a reminder. To import the certificate / key pair, they have to be converted into a p12 format first. Certificate order is also important for some clients. Correct order is leaf certificate first, then intermediates and the CA at last.
Generate the CSR and submit it to a Namecheap:
$openssl req -new -newkey rsa:2048 -nodes -keyout api-example.key -out api-example.csr
Validate your CSR and download the client certificate zip.
Dowlnoad the COMODOCertificationAuthority.crt, this is their new CA certificate cross signed with an old one which expires in May 2020.
Append the intermediary certificates received from the Namecheap to your server certificate:
$cat apiexamplecom.crt apiexamplecom.ca-bundle > api-example-chain.crt
Make sure that adjacent certificates are separated with a newline, othwerwise openssl will complain. There mustd be a newline between these two strings -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
Export the chain into the p12 format:
$openssl pkcs12 -export -in api-example-chain.crt -inkey api-example.key -out api-example.p12 -name api.example.com -CAfile COMODOCertificationAuthority.crt -caname root
Import the resulting p12 file into a java keystore: $keytool -importkeystore \ -deststorepass changeit -destkeypass changeit -destkeystore example-keystore.jks \ -srckeystore api-example.p12 -srcstoretype PKCS12 -srcstorepass changeit \ -alias api.example.com
Once the keystore has the key, check it with an openssl:
$openssl s_client -showcerts -connect api.example.com:443
or use the SSL Checker
That's it.
--
Update: One of the root cert's became outdated on June 1, 2020. Some client don't recognize the cross signed Comodo / Sectigo certificates, so you may need to download the bundle from Namecheap again and generate your keystore once again. New bundle will have an updated intermidiary chain.