olegk wrote: > > Well, you do not need an entire chain. > > ...Effectively you need only one certificate in the chain to trust the > whole chain. > You know, that's how I _thought_ it was supposed to work in the first place...
olegk wrote: > > To sum up: you need to import a certificate of the trusted CA into a > keystore file and configure SSL context passing an instance of KeyStore > generated from that file as a _truststore_. Pass null as a keystore > parameter. That is it. > Oh shoot! I had a fundamental misunderstanding -- I didn't realize there was a difference between a keystore used for client SSL certificates, and a truststore used for server certificate authentication. When I used the correct SSLSocketFactory constructor, it worked after adding just the CA root to my truststore file. Thanks Oleg for your patience while explaining this to me. You're the man. -- View this message in context: http://www.nabble.com/SSLPeerUnverifiedException----cannot-get-chain-imported-correctly-tp21564943p21581299.html Sent from the HttpClient-User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
