Hi, I am running Tomcat 6.0.18 64bit on Windows Server 2008 R2 Enterprise. I obtained a certificate for my server from StartCom, installed it and configured the Connector. The server, intermediate and root certificates are in a keystore file. So far all went fine, except for one problem: Tomcat sends only the server certificate, not the whole certificate chain. This means that Firefox (all newer versions) thinks the certificate is invalid.
I tried to import the StartCom certificates into the default keystore cacerts, no difference. The problem is not that Tomcat cant validate the certificate, but that the intermediate certificate is not sent (verified with Wireshark). I tried to set all entries in logging.properties to ALL, but I dont get anything in my logs. Has anyone encountered the same behaviour? server.xml: <Connector protocol="org.apache.coyote.http11.Http11Protocol" port="443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat.keystore" keystorePass="..." keyAlias="intern" clientAuth="false" sslProtocol="TLS" /> keytool -list -keystore tomcat.keystore: Keystore-Typ: JKS Keystore-Provider: SUN Ihr Keystore enthält 3 Einträge. startcom.ca.sub, 23.05.2011, trustedCertEntry, Zertifikatsfingerabdruck (MD5): 4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82 startcom.ca, 23.05.2011, trustedCertEntry, Zertifikatsfingerabdruck (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16 intern, 23.05.2011, PrivateKeyEntry, Zertifikatsfingerabdruck (MD5): 30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C keytool -list -v -keystore tomcat.keystore: (output shortened) Keystore-Typ: JKS Keystore-Provider: SUN Ihr Keystore enthält 3 Einträge. Aliasname: startcom.ca.sub Erstellungsdatum: 23.05.2011 Eintragstyp: trustedCertEntry Eigner: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Seriennummer: b Gültig von: Wed Oct 24 22:57:08 CEST 2007 bis: Mon Oct 22 22:57:08 CEST 2012 Digitaler Fingerabdruck des Zertifikats: MD5: 4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82 SHA1: A9:C3:A1:41:78:DF:B2:B1:D1:94:1D:5E:3F:56:DA:FA:E2:E1:40:37 Unterschrift-Algorithmusname: SHA1withRSA Version: 3 ... ******************************************* ******************************************* Aliasname: startcom.ca Erstellungsdatum: 23.05.2011 Eintragstyp: trustedCertEntry Eigner: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Seriennummer: 1 Gültig von: Sun Sep 17 21:46:36 CEST 2006 bis: Wed Sep 17 21:46:36 CEST 2036 Digitaler Fingerabdruck des Zertifikats: MD5: 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16 SHA1: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F Unterschrift-Algorithmusname: SHA1withRSA Version: 3 ... ******************************************* ******************************************* Aliasname: intern Erstellungsdatum: 23.05.2011 Eintragstyp: PrivateKeyEntry Zertifikatskettenlänge: 1 Zertifikat[1]: Eigner: EMAILADDRESS=postmas...@htl-klu.at<mailto:EMAILADDRESS=postmas...@htl-klu.at>, CN=intern.htl-klu.at, OU=StartCom Verified Certificate Member, O=Bernhard Hobiger, L=Klagenfurt, ST=Karnten, C=AT, OID.2.5.4.13=165616-YmmhPnif68b3zfKu Aussteller: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Seriennummer: 1a3d Gültig von: Thu Mar 18 09:26:36 CET 2010 bis: Mon Mar 19 00:20:28 CET 2012 Digitaler Fingerabdruck des Zertifikats: MD5: 30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C SHA1: AD:21:D5:1B:83:BB:DF:A7:61:BA:BD:E0:F9:7A:13:8B:F9:EF:8A:CC Unterschrift-Algorithmusname: SHA1withRSA Version: 3 ... ******************************************* *******************************************