Having issues using existing Entrust certificates for Jetty SSL connection

I have three files from Entrust: *.csr, *.key and *.crt.

So far:

1. I have brought the *.key and *.crt into a PKCS12 keystore using OpenSSL
2. I have imported the *.pkcs12 into a keystore using keytool
3. Using this technique, I am able to use 开发者_如何转开发an SSL connection with Jetty

However, I'm getting a Certificate Error in IE (unsecured items in Chrome).

In our case, the certificates are currently being used for domain:80 (Apache) and I'm attempting to "reuse" them for domain:8443 (Jetty).

Am I wrong in thinking that I can use these for Jetty as well? On the same IP/domain, but on a different port and webserver? My gut is telling me that one of these files relates to Entrust recognizing Apache (*.csr) and that I should have to do the same for Jetty?

Edit #1

The error goes as follow:

Certificate Error

Untrusted Certificate

The security certificate presented by this webiste was not issued by a trusted certificate authority

This problem may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage.

But yet Chrome, sees it as valid. I does have to work on IE since it's our standard.

Edit #2

1. Chrome doesn't complain
2. Nor does Firefox

Edit #3

I found our CA certificate specified in the Apache conf file. I then proceeded to concatenate our cert with the CA cert into a PKCS12 file. Then, using keytool, I generated the keystore.

I loaded it on the server, rebooted and viewed in IE. IE still shows a certificate issue.

In the concatenated file, I see in this order: our cert and then 2 other certificates.

On a side note, I called Entrust and the CSR saw no problems as he was using IE 8. We're on IE7.

Edit #4

Using this command:

keytool -list -keystore keystore -v

It shows 3 certificates (in this order):

1. Ours
2. Owner: CN=Entrust Certification Authority - L1C,
3. Owner: CN=Entrust.net Certification Authority (2048)

Edit 5

Solved! I guess I had a caching issue. Confirmed with colleagues.

Answer, Concatenating all my certs, including the CA cert, into the keystore solved my issue.

The port number, as stated in the comments, is irrelevant for trusting an SSL/TLS connection.

The problem is that the entire certificate chain from your certificate up to the Entrust root probably looks like this

your cert - intermediate CA 1 - intermediate CA 2 - ... - root CA

To make this work for IE you have to import not only your certificate into the PKCS#12 container, but additionally the intermediate certificates and also the root certificate. Otherwise your SSL implementation won't be able to provide the full path during the SSL handshake and thus IE has no means to build a proper chain to compare to its set of trusted root certificates.

So my advise would be to get the intermediate certificates from the appropriate web sites and importing them with keytool into your PKCS#12 key store.

Once done, IE should from then on accept without complaining.