Screen with bytes of info

RSS Feed
Technology Bytes

Importing a Digital ID into Opera


The certificate's chain was not ordered correctly

     I recently purchased a new domain name and with each domain name, I create an administrative e-mail account that ends in that domain's name.  In this case, I wanted to go ahead a create a digital ID (S/MIME X.509) certificate and I like to create digital ID keys with a large key length.

     In the past, I had found that when creating a digital ID, most CAs (Certificate Authority) use the browser to generate the keys and that different browsers have different options for key length.  I found this by using Mozilla's sample KEYGEN form.  When using Firefox or Google Chrome, it only gives two choices for length: High Grade (which is 2048 bits) and Medium Grade (which is 1024 bits).  Internet Explorer 8 doesn't support the tag and I couldn't get Safari to run properly on Windows.  Finally, I was able to test Opera and found that it supports thirteen different key lengths starting at 1024 all the way to 4096.  So I decided to use Opera to generate my digital ID with a key length of 4096.

     My favorite CA is StartCom's StartSSL.com.  To log in, it is required to have the account digital ID imported into the browser and it uses that to authenticate the session instead of a username and password.  Since I didn't have my digital ID for my account imported into Opera, I attempted to do so and this is where I ran into problems.

     I opened Opera, clicked on the Opera button at the top left, moved my mouse to Settings, and then clicked Preferences.  I clicked the Advanced tab, clicked the option Security, and then clicked the Manage Certificates button which brought up the Certificate Manager window.  I then made sure I was on the Personal tab and chose the import button to import my identity.  When I selected the file, it gave me the error,  The certificate's chain was not ordered correctly.  I tried it a couple of times and still kept getting the error.

     I started using Google to look up what other people have said about it.  I found that some people converted the file to a different format, rearranged the certificate data in the file, and then re-converted it back to the PKCS12 (p12/pfx extension) that Opera can read.  I tried rearranging the certificate data several different ways but still kept running into the error.  Finally, I actually complete removed the root CA certificate key from the file and left the intermediate CA certificate key, my public key, and my private key (encrypted) in the file, converted it back and Opera took it!  So for me, removing the Root CA Certificate Key was required to get Opera to recognize it.

     The way I converted the file was using the following process with OpenSSL (original.p12 is the original file that contained my digital identity):
I converted my original identity to ASCII PEM:
openssl pkcs12 -in original.p12 -out temp.pem

I then took the temp.pem file I created and opened it up with a text editor.  I figured which one was the Root Certificate and removed it and saved the file.
I then converted the file back to PKCS12 so Opera could read it:
openssl pkcs12 -export -aes256 -in temp.pem -out new.p12

Once this was done, I then imported the new.p12 file into Opera.