On 3/19/20 12:26 PM, Christopher Schultz wrote:
In case(2) can you show us what certificates are present in your keystore?
Something like:
$ keytool -verbose -list -keystore server.jks
Dear Mr. Schultz, et al:
Actually, at least with the version of keytool I have, it would be more
like:
"keytool -list -v -keystore frobozz.ks"
I was about to send (off-List, marked "CONFIDENTIAL") dumps of an
"incomplete chain" keystore that nonetheless had all the certs it
needed, and one that wasn't giving the error (as a control), when I
spotted something in the dumps myself:
Problem:
Your keystore contains 3 entries
Alias name: wintouch
Creation date: Oct 15, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Control:
Your keystore contains 3 entries
Alias name: wintouch
Creation date: Apr 2, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 3
I had earlier noticed that the alias for the intermediate cert was not
the same as what the site cert cited as its signer, and so I had tried
changing the alias (with no effect). (I generally use a product called
KeyStore Explorer for everything but initial generation of the keystore,
and found it had a "rename" function.)
I looked at both the "problem" and "control" keystores in KSE, and found
that even though both keystores were "complete-to-root," if I pulled up
the "certificate chain details" on them, the "control" KS showed a
complete-to-root chain, while the "problem" KS showed only the site cert.
So I tried re-importing the CA reply (in KSE), on the copy that had the
renamed intermediate cert. No effect. So then I went back to the
self-signed KS, and re-imported everything again, fixing the alias as I
went along. Still no effect.
But in the process, I noticed a menu option I'd never noticed before:
"Edit Certificate Chain." Which turned out to be a sub-menu with
"Append" and "Remove" options. I tried the "Append" option, and BINGIE,
it was showing the intermediate CA in the chain (at least in KSE).
As I type this, I just now squirted the latest iteration of the KS over
to the customer's box, swapped it into place, and restarted Tomcat. Now,
the SSLLabs report shows an "A" rating, with the intermediate in the
chain. BINGIE!
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org