On 04-03-16 15:29, Thierry Boileau wrote: > Hello Christine, > > I wonder if all the intermediate certificates have been registered in > the keystore with the same alias entry. > Could you have a look at this post? > http://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake/9300727#9300727
Thierry, I made a mistake in building the keystore, sorry for the fuss. It works now. I'm very happy with Restlet :-) dagdag Christine > > Best regards, > Thierry Boileau > > Le mer. 2 mars 2016 à 22:45, Christine Karman <christ...@christine.nl > <mailto:christ...@christine.nl>> a écrit : > > I want to switch from using a self-signed certificate in Restlet, > which > worked well, to a startcom certificate. The reason I want to change it > is that I want to give third parties access to the server without > having > to give them my self signed cert. > > Now I see an issue with Restlet apparently not sending the certificate > chain, which my android app doesn't like. When I type > > openssl s_client -showcerts -connect pengo.christine.nl:9005 > <http://pengo.christine.nl:9005> > > in a shell, I get this error: > > CONNECTED(00000003) > depth=0 CN = pengo.christine.nl <http://pengo.christine.nl> > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 CN = pengo.christine.nl <http://pengo.christine.nl> > verify error:num=21:unable to verify the first certificate > verify return:1 > > When I type > openssl s_client -showcerts -connect pengo.christine.nl:9005 > <http://pengo.christine.nl:9005> -CAfile > ./chain.crt > > with chain.crt containing the root cert and intermediate cert, I get > > CONNECTED(00000003) > depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate > Signing, CN = StartCom Certification Authority > verify return:1 > depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification > Authority, CN = StartCom Class 1 DV Server CA > verify return:1 > depth=0 CN = pengo.christine.nl <http://pengo.christine.nl> > verify return:1 > > My restlet configuration contains > > params.add("sslContextFactory", > "org.restlet.engine.ssl.DefaultSslContextFactory"); > params.add("keystorePath", > "/home/christine/motogymkhana/pengo_ssl.jks"); > params.add("keystorePassword", ServerConstants.keyStorePw); > params.add("keystoreType", "JKS"); > params.add("keyAlias", ServerConstants.keyAlias); > params.add("keyPassword", ServerConstants.keyPw); > > The keystore does contain the same certificates as the chain.crt file. > > How do I make Restlet send the chain with the certificate? > > dagdag > Christine > > > -- > dagdag is just a two character rotation of byebye > > ------------------------------------------------------ > > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3164075 > -- dagdag is just a two character rotation of byebye ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3166083