I ran into a couple of problems earlier while trying install a new certificate for our BlackBerry Enterprise Servers.  We are running BES 5 and had been using the default self-signed certificate that is made during the install.  We are still in pilot mode so that wasn’t a problem.  Well we are now gearing up to go production so we needed to get a trusted cert. 

I followed the instructions to make the request that RIM provides in the administration guide and sent the CSR off to our security group to get a cert issued from Thawte.  The CSR was rejected!  Thawte could not determine the key size.  By default the keytool utility chooses 1024 and DSA but it couldn’t figure out the size.  Even if I told it to use 1024 with the -keysize flag, it would still fail.  Viewing the CSR in openssl also did not show the size.  It was not until I chose RSA that it was able to determine the size.  To do this I ran:

keytool.exe -genkey -keysize 1024 -keyalg “RSA” -alias <alias name> -keypass <password> -keystore “<location to web.keystore>

After that I was able to successfully create the certificate.  Unfortunately I wasn’t done!  Once I tried to import it, I got the error “keytool error: java.lang.Exception: Failed to establish chain from reply.” A quick Bing/Google search and I was able to find out that I needed to add the Thawte root CA to the keystore.  I downloaded the CA and ran:

keytool.exe -import -trustcacerts -alias “Whatever you want” -file <location to thawte .cer> -keystore <location of keystore>

It gave me a warning that “Certificate already exists in system-wide CA keystore under alias <#####> Do you still want to add it to your own keystore?” I said yes and was then able to add our cert.  I copied the web.keystore file to each BES server and restarted the BAS services.

This may be obvious to people more familiar with the keytool utility but I’m a Windows guy and usually handle certificates in IIS or the certificates MMC snap-in.  This was new territory for me but thankfully we got it figured out.  Now I need to start the process to move our users to the new environment.