信任链被打破了.两个可能的原因.

Chain of trust is broken it looks like. Two possible reasons.

1. 来自服务器的证书不是单个证书，而是连接到根CA的链，并且您仅导入了一个.您需要验证并导入完整的链.

1. The certificate from server is not a single certificate but a chain up to root CA and you have imported only one. You need to verify and import that complete chain.

a.要检查证书链，请使用openssl

a. To check the certificate chain, dump it using openssl

>openssl s_client -showcerts -connect host:port

b.要导入链，您需要将PEM转换为PKCS#7或拆分.

b. To import the chain you need either convert PEM to PKCS#7 or split.

i. 将PEM转换为PKCS#7

ii. Split

在导入证书时，请使用"-trustcacerts"选项，以便将密钥库中的证书视为信任链.

While importing the certificate use "-trustcacerts" option so that certificates from keystore are considered for chain of trust.

>keytool -import -trustcacerts -file /path/ldapserver.pem -alias somealias -keystore /security/cacerts