I created a set of procedures, using Wowza instructions: https://www.wowza.com/docs/how-to-request-an-ssl-certificate-from-a-certificate-authority … combined with our university’s site for acquiring an InCommon cert.
Another IT person here successfully got SSL working on a Windows Server 2012 R2 physical server; I’m trying to do the same on the same OS, but running as a VM (the university provides the VM service).
One thing that I’ve never understood, is the part where Wowza says to: “Execute one of the following commands to import the signed certificate that you received the from the certificate authority:” followed by instructions for a chain cert, and then for a new cert. The former pertains to Incommon v. 2 certs, and the latter to the PEM. Both refer to intermediate certs; the sha-2 certs mention the root cert.
I get the error “keytool error: java.lang.Exception: Failed to establish chain from reply” when I try the procedure for the new certificate.
My .jks file does not have all the entries that the .jks on the server that is working has.
In case any has any ideas:
Create (generate) private key (keystore)
keytool -genkey -keysize 2048 -alias wowzaprivatekey -keyalg RSA -keystore ourserver.fake1.edu.jks
Create a CSR
keytool -certreq -file ourserver.fake1.edu.csr -alias wowzaprivatekey -keyalg RSA -keystore ourserver.fake1.edu.jks
Submit the .csr to a certificate authority
Get “new InCommon certificate”.
Paste the contents of the .csr in the the “CSR (PEM)” field.
Create PEM (Certificate of Authority) file (get contents from PEM cert provided in response to CSR request; InCommon intermediate certificates for sha-2 certificates signed after October 5, 2014.)
Save as: PEM-.crt (Replace with actual number.)
Obtain intermediate and root certificates.
Go to our cert acquiring url … then click the cert you’ve created. CLICK: “Add the InCommon intermediate certificates to your SSLCertificateChainFile.” copy sha-2 certificates. Grab everything inside the marque, i.e., starting with:
InCommon intermediate certificates for sha-2 certificates signed after October 5, 2014.
Paste into Notepad on the server.
Save as “incommonsha-2.crt” in …conf.
Execute one of the following commands to import the signed certificate that you received the from the certificate authority:
FOR A CHAIN CERTIFICATE:
keytool -import -alias incommonsha-2 -trustcacerts -file incommonsha-2.crt -keystore ourserver.fake1.edu.jks
“Your keystore contains 2 entries” (Some of the entry is human readable.)
FOR A NEW CERTIFICATE:
Import cert (the PEM file) to the keystore
keytool -import -alias wowzaprivatekey -trustcacerts -file PEM-11557.crt -keystore ourserver.fake1.edu.jks
keytool error: java.lang.Exception: Failed to establish chain from reply