Thank you Chris for your suggestion.
Here is my connector:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/users/me/.keystore" keystorePass="changeit"
/>
I have received the following keys/certs from CA:
- file1: private key for myhost
- file2: identity certificate for "myhost" signed by "CA1"
- file3: certificate for "CA1" signed by "entrust"
I installed private key (file1) and "myhost" cert (file2) into
/users/me/.keystore
using the ImportKey utility.
I installed the CA1's certificated into "/users/me/.keystore" using keytool.
My keytool lookslike this:
$ keytool -list -keystore /users/me/.keystore
<...password...>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
CA1, Apr 10, 2010, trustedCertEntry,
Certificate fingerprint (MD5):
2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE
tomcat, Apr 10, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5):
CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50
$
I did not install any certificates into truststore
(jre/lib/security/cacerts).
When I connect browser to https://myhost, i get a cert error that
"myhost" is signed by "CA1"and cannot be trusted.
Browser show only one cert (for "myhost") and not show the full
cert chain ("myhost" -> "CA1" and "CA1" -> entrust).
Why is the full cert chain not sent to browser.
Since "entrust" CA cert is in browser CA list, if tomcat send full cert
chain
to browser, it would be trusted.
Also, when I use openss client, I see that full cert chain is not sent:
C:\> openssl s_client -connect myhost:443
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=YY/L=XX/O=myhost Inc./OU=IT/CN=myhost
i:/C=US/O=CA1, Inc./OU=www.CA1.net is incorporated by reference/OU=...,
Inc./CN=CA1Certification Authority
Why does this chain not have CA1->entrust certificate.
what i do wrong? should all CA certs be in truststore?
what is the defaulttruststore of tomcat? what is difference between
"truststore" and
"keystore". is it correct to say all CA certs be in "truststore" and private
key and identity cert
be in "keystore"?
many thanx,
/U
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> /U,
>
> On 4/10/2010 12:01 AM, /U wrote:
>> i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I
>> have
>> private key (PEM),
>> identity cert (PEM) (CA X trusts myhost)
>> and a cert chain file (PEM file) (entrust trusts CA X)
>>
>> The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost
>>
>> I have converted the private key and identify cert into DER form
>> and have imported into /etc/keystore (tomcat's keystore).
>
> Tomcat does not use /etc/keystore unless you tell it to do so. Can you
> show us your server.xml, specifically your SSL <Connector> element?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvAtWgACgkQ9CaO5/Lv0PDQBgCgnPJP17/F6OI2UXPRaQ7xnKau
> RTUAoLYShr4IVwKZJrOfyvZKGkGAvnUQ
> =/uks
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28204196.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
