Re: SLL Certificate Chain

Mon, 23 May 2011 22:55:55 -0700 

On 05/23/2011 04:53 AM, Dipl.-Ing. Mag. Bernhard Hobiger wrote:

Hi,

I am running Tomcat 6.0.18 64bit on Windows Server 2008 R2 Enterprise. I 
obtained a certificate for my server from StartCom, installed it and configured 
the Connector. The server, intermediate and root certificates are in a keystore 
file. So far all went fine, except for one problem: Tomcat sends only the 
server certificate, not the whole certificate chain. This means that Firefox 
(all newer versions) thinks the certificate is invalid.

I tried to import the StartCom certificates into the default keystore cacerts, 
no difference. The problem is not that Tomcat cant validate the certificate, 
but that the intermediate certificate is not sent (verified with Wireshark).

I tried to set all entries in logging.properties to ALL, but I dont get 
anything in my logs. Has anyone encountered the same behaviour?

server.xml:
     <Connector protocol="org.apache.coyote.http11.Http11Protocol"
                port="443" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
                keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 
6.0\tomcat.keystore"
                keystorePass="..."
                keyAlias="intern"
                clientAuth="false" sslProtocol="TLS" />


keytool -list -keystore tomcat.keystore:


Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 3 Einträge.
startcom.ca.sub, 23.05.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
startcom.ca, 23.05.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
intern, 23.05.2011, PrivateKeyEntry,
Zertifikatsfingerabdruck (MD5): 30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C

keytool -list -v -keystore tomcat.keystore: (output shortened)


Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 3 Einträge.
Aliasname: startcom.ca.sub
Erstellungsdatum: 23.05.2011
Eintragstyp: trustedCertEntry
Eigner: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital 
Certificate Signing, O=StartCom Ltd., C=IL
Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate 
Signing, O=StartCom Ltd., C=IL
Seriennummer: b
Gültig von: Wed Oct 24 22:57:08 CEST 2007 bis: Mon Oct 22 22:57:08 CEST 2012
Digitaler Fingerabdruck des Zertifikats:
   MD5:  4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
   SHA1: A9:C3:A1:41:78:DF:B2:B1:D1:94:1D:5E:3F:56:DA:FA:E2:E1:40:37
   Unterschrift-Algorithmusname: SHA1withRSA
   Version: 3
...
*******************************************
*******************************************

Aliasname: startcom.ca
Erstellungsdatum: 23.05.2011
Eintragstyp: trustedCertEntry
Eigner: CN=StartCom Certification Authority, OU=Secure Digital Certificate 
Signing, O=StartCom Ltd., C=IL
Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate 
Signing, O=StartCom Ltd., C=IL
Seriennummer: 1
Gültig von: Sun Sep 17 21:46:36 CEST 2006 bis: Wed Sep 17 21:46:36 CEST 2036
Digitaler Fingerabdruck des Zertifikats:
   MD5:  22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
   SHA1: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
   Unterschrift-Algorithmusname: SHA1withRSA
   Version: 3
...

*******************************************
*******************************************

Aliasname: intern
Erstellungsdatum: 23.05.2011
Eintragstyp: PrivateKeyEntry
Zertifikatskettenlänge: 1
Zertifikat[1]:
Eigner: 
EMAILADDRESS=postmas...@htl-klu.at<mailto:EMAILADDRESS=postmas...@htl-klu.at>, 
CN=intern.htl-klu.at, OU=StartCom Verified Certificate Member, O=Bernhard Hobiger, 
L=Klagenfurt, ST=Karnten, C=AT, OID.2.5.4.13=165616-YmmhPnif68b3zfKu
Aussteller: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure 
Digital Certificate Signing, O=StartCom Ltd., C=IL
Seriennummer: 1a3d
Gültig von: Thu Mar 18 09:26:36 CET 2010 bis: Mon Mar 19 00:20:28 CET 2012
Digitaler Fingerabdruck des Zertifikats:
   MD5:  30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C
   SHA1: AD:21:D5:1B:83:BB:DF:A7:61:BA:BD:E0:F9:7A:13:8B:F9:EF:8A:CC
   Unterschrift-Algorithmusname: SHA1withRSA
   Version: 3
...
*******************************************
*******************************************






Hello,

Please take notice at the following lines in your output...
My German(?) isn't all that good, but I see this, "Zertifikatskettenlänge: 1", which I know in English should read something to the affect of... 'Certificate Chain Length'
This is why Tomcat (JSSE) is only serving up the one certificate (depth 0) and when I see this output, it would appear the '-trustcacerts' flag was not used when importing the certificate(s). See this page for reference [ http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html ] 

Here's also a blog posting from a fellow StartCom customer.

http://magictrevor.wordpress.com/2011/01/26/startssl-startcom-certificates-and-tomcat/

I hope this helps!

--Crypto.Sal



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to