Home/ Questions/Q 8085977
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T18:18:40+00:00

I need to build a keystore with all the needed SSL certificates to make

  • 0

I need to build a keystore with all the needed SSL certificates to make my Android app connect to a webserver via https.

This is my certificate chain (obtained with openssl s_client -connect www.myhost.com:443):

 0 s:/C=US/ST=State/L=Location/O=Organization/OU=Webserver Team/CN=www.myhost.com
   i:/C=US/O=Thawte, Inc./CN=Thawte SGC CA - G2
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 2 s:/C=US/O=Thawte, Inc./CN=Thawte SGC CA - G2
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 3 s:/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 4 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

My problem is that I’m not 100% sure about how to create the keystore to import in my android application. I’ve only been able to download VeriSign Class 3 Public Primary Certification Authority - G5 and Thawte Primary Root CA from the Thawte and Verisign website. I can’t find the other two that If I’m not wrong should be Thawte SGC CA - G2 and thawte Extended Validation SSL CA.

If I had all of them, I would proceed creating a keystore with the procedure explained in this answer to a question similar to this one.

Am I misunderstanding something? Do I really need all the 4 certificates or not? I’m also not sure of the order (and the aliases) I should use when adding these certificates to the keystore. Does it matter?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In the end, my problem was that the server was not sending the certificates in the right order (you can see it from the openssl output I posted in my question). The solution was to subclass X509TrustManager and, on method checkServerTrusted, just reorder the certificate chain before passing it to the super implementation. The reordering code is the following:

        int currIndex;
    for (currIndex = 0; currIndex < certificates.length; ++currIndex) {
        boolean foundNext = false;
        for (int nextIndex = currIndex + 1; nextIndex < certificates.length; ++nextIndex) {
            if (certificates[currIndex].getIssuerDN().equals(certificates[nextIndex].getSubjectDN())) {
                foundNext = true;
                // Exchange certificates so that 0 through currIndex + 1 are in proper order
                if (nextIndex != currIndex + 1)  {
                    X509Certificate tempCertificate = certificates[nextIndex];
                    certificates[nextIndex] = certificates[currIndex + 1];
                    certificates[currIndex + 1] = tempCertificate;
                }
                break;
             }
         }
         if (!foundNext) break;
     }
    • 0