Hello Christine, I wonder if all the intermediate certificates have been registered in the keystore with the same alias entry. Could you have a look at this post? http://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake/9300727#9300727
Best regards, Thierry Boileau Le mer. 2 mars 2016 à 22:45, Christine Karman <christ...@christine.nl> a écrit : > I want to switch from using a self-signed certificate in Restlet, which > worked well, to a startcom certificate. The reason I want to change it > is that I want to give third parties access to the server without having > to give them my self signed cert. > > Now I see an issue with Restlet apparently not sending the certificate > chain, which my android app doesn't like. When I type > > openssl s_client -showcerts -connect pengo.christine.nl:9005 > > in a shell, I get this error: > > CONNECTED(00000003) > depth=0 CN = pengo.christine.nl > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 CN = pengo.christine.nl > verify error:num=21:unable to verify the first certificate > verify return:1 > > When I type > openssl s_client -showcerts -connect pengo.christine.nl:9005 -CAfile > ./chain.crt > > with chain.crt containing the root cert and intermediate cert, I get > > CONNECTED(00000003) > depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate > Signing, CN = StartCom Certification Authority > verify return:1 > depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification > Authority, CN = StartCom Class 1 DV Server CA > verify return:1 > depth=0 CN = pengo.christine.nl > verify return:1 > > My restlet configuration contains > > params.add("sslContextFactory", > "org.restlet.engine.ssl.DefaultSslContextFactory"); > params.add("keystorePath", > "/home/christine/motogymkhana/pengo_ssl.jks"); > params.add("keystorePassword", ServerConstants.keyStorePw); > params.add("keystoreType", "JKS"); > params.add("keyAlias", ServerConstants.keyAlias); > params.add("keyPassword", ServerConstants.keyPw); > > The keystore does contain the same certificates as the chain.crt file. > > How do I make Restlet send the chain with the certificate? > > dagdag > Christine > > > -- > dagdag is just a two character rotation of byebye > > ------------------------------------------------------ > > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3164075 > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3164355