Failed to load keys. Invalid certificate chain. Check the order of certificates

Configuring the server
1

Good afternoon!

We are having a strange problem with Keycloak and we’re hoping the forum can help us. We have keycloak 21.1.1. installed on OEL version 7.0. We are trying to use the admin cli to create a new java-store. Our system is on a gov. system so the gui is being blocked. We downloaded the server.pfx file and used openssl to generate a key file, chain and cert file:

openssl pkcs12 -in [domain].pfx -nocerts -nodes -out [domain].key.pem
openssl pkcs12 -in [domain].pfx -clcerts -nokeys -out [domain].cert.pem
openssl pkcs12 -in [domain].pfx -cacerts -nokeys -chain -out [domain].ca.pem

We then used openssl to verify the chain:

openssl verify -verbose -CAfile [domain].ca.pem [domain].cert.pem
[domain].cert.pem OK

Next we used openssl to create a pkcs12 trust store:

openssl pkcs12 -export -in [domain].cert.pem -inkey [domain].key.pem -chain -CAfile [domain].ca.pem -out [domain].p12 -name [domain]

We connect to the Keycloak CLI:
export PATH=$PATH:/data/alfresco/7.0/keycloak/bin

./keycloak/bin/kcadm.sh config credentials --server http://localhost:8446 --realm master --user [user]

Password: [password]

We then run this command to create a new java-keystore in our alfresco realm:

./keycloak/bin/kcadm.sh create components -r alfresco -s name=java-keystore -s providerId=java-keystore -s providerType=org.keycloak.keys.KeyProvider -s parentId=alfresco -s ‘config.priority=[“200”]’ -s ‘config.enabled=[“true”]’ -s ‘config.active=[“true”]’ -s ‘config.keystore=[“[domain].p12”]’ -s ‘config.keystorePassword=[“[password]”]’ -s ‘config.keyPassword=[“[password]”]’ -s ‘config.keyAlias=[“[domain]”]’

When we run this command, we get the following:

Failed to load keys. Invalid certificate chain. Check the order of certificates.

We have no idea why Keycloak is having an issue with the certs. We’ve even tried rearranging the certs so that the CA is first, then the intermediate and finally the issuing. If anyone has had this issue before and can suggest a solution, we would appreciate it. This has been an issue for going on a week now.

Thanks for your time and help!

Steve