Thanks Christopher Schultz and Crypto Sal for your replies! The key hint was the certificate chain length. My problem seemed to be that I got the server certificate as PKS12 file (including the private key). I imported it using "-importkeystore -srcstoretype PKCS12". "-trustcacerts" doesnt seem to have any effects with "-importkeystore". Since the PKS12 file containd only the server certificate, it was imported with certificate chain length 1.
So here is what worked for me: I converted the root and intermediate certificates to human readable form by importing them into a keystore and then exporting them again using "-export -rfc". I imported my server certificate into a new keystore and adapted alias and passwords for use with my Tomcat configuration I exported the server certificate again using "-export -rfc" I opened the newly created export file of my server certificate and inserted the contents of the intermediate and the root certificates at the bottom of the file. This created a valid certificate chain in PKCS7 format. I imported the altered certificate file into the same keystore using the same alias. This replaced the single certificate with the complete certificate chain (private key remained unaltered). Now I have a valid keystore with my server certificate and the intermediate and root certificates and the certificate chain length is 3. Tomcat deliveres the chain correctly and I finally got rid of the annoying security warnings in Firefox. Thanks for your help! --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org