-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nada,
On 10/6/2009 4:51 PM, Nada O'Neal wrote: > I don't have an EV cert, it's just a standard cert signed by Equifax. I > have similar certs working on other servers. Again, it's the upgrade > from one java to another that seems to cause the problem - running java > 1.5, I don't have this issue. If you've recently upgraded, then any changes you made to the "system" keystore may have been lost (which I think is a foolish thing to do, but it looks like each version of the JRE gets its own keystore, and upgrades don't merge or anything like that). > $ keytool -list -keystore /path/to/keystore > Enter keystore password: > > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 2 entries > > root, Sep 29, 2009, trustedCertEntry, > Certificate fingerprint (MD5): [...] > tomcat, Sep 29, 2009, PrivateKeyEntry, > Certificate fingerprint (MD5): [...] > > ... is this wrong? I'm not sure. That depends on if this is /your/ keystore or the JRE's keystore. It also depends on what the details of those certs are: do any of them have to do with Equifax? All you really need is: 1. Equifax CA cert in your keystore 2. Any Equifax intermediate certificates in your keystore 3. Your own certificate in your keystore 4. The web browser has to trust either #1 or #2 I'm not altogether clear if it all has to be the same keystore: I think that the JCE reads the system one no matter what, which should include anything Equifax has at the top-level. You may have to import their intermediate cert into your own keystore (or into the system one, again, if you upgraded). There's nothing you can do about #4 above, except that if the browser trusts, say, #1, but you aren't providing the certificate chain between #3 and #1 (via #2), then you'll get this error from the client. I hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrMyjcACgkQ9CaO5/Lv0PAlpQCgsBd2nlqqEwa4fqMKaJlf0YAi ELwAn2+cUWZVBqJOSOKAfm8i81qLucQu =augc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
