Hi, On Fri, Apr 22, 2016 at 8:07 PM, Steve Sobol - Lobos Studios <[email protected]> wrote: > Well yeah, that's the thing, I do have them. With Apache I just have them > bundled in a single file and I use the SSLCertificateChainFile directive (I > believe) to point to them. I tried putting the CA certs in the truststore. > Didn't work. Tried putting them in the keystore with the website certs. > Didn't work. > > So, I'm a little lost. :(
Trustores are only useful when you receive a certificate and you want to verify that is trustable. Typically clients use them (e.g. the server sends a self-signed certificate). I think we have the same (or a very similar) setup for Webtide's website. If I do: keytool -list -keystore keystore it prints: Your keystore contains 4 entries (fingerprints removed): comodo_ca, Jan 15, 2016, trustedCertEntry, addtrust_ca_root, Jan 15, 2016, trustedCertEntry, server, Jan 15, 2016, PrivateKeyEntry, comodo_domain_ca, Jan 15, 2016, trustedCertEntry, If I do: keytool -list -v -keystore keystore it prints a lot more. The important thing is that the "server" alias (in our case, or the alias that has the private key) has attached 4 certificates. In our case I see: Alias name: server Creation date: Jan 15, 2016 Entry type: PrivateKeyEntry Certificate chain length: 4 Certificate[1]: ... Certificate[2]: ... Certificate[3]: ... Certificate[4]: ... These entries should match the other entries you have in the keystore. If you don't have "Certificate chain length: 4" (or whatever length you have), but you have only length=1, then you have imported the certificate into the keystore in the wrong way. Let us know. -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
