Mark,
On 4.4.2014 23:54, Mark Thomas wrote:
The CA that signed your certificate might not be one of the root CAs
trusted by the user agent. Most likely it is an intermediate CA. The
root CA will have signed the intermediate CA's certificate and the
intermediate CA will have signed your certificate. In practice, there
can be several layers of intermediate CAs. What you end up with is a
trust chain from the Root CA to your certificate. To make it easier for
the browsers to validate, you need to be able to provide all of these
certificates as part of the SSL handshake. Therefore you CA will tell
you that you need to import 1 or more additional certs into your keystore.
Few additional notes:
If root certificate is in Java system keystore then there is no need to
import root certificate. If not, a user must import it, either in system
keystore or user keystore.
Order of imports is important. You first need to (optionally) import
root certificate, then intermediate certificates (if any), and server
certificate in the end. Messing up import order may cause server serving
incomplete certificate chain. Incomplete chain, though not recommended,
may serve its purpose for some browsers. Other clients (like Java) will
fail. Browsers have means to reconstruct incomplete certificate chains,
but this shuldn't be relied upon.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
