Ray,
So bare with me here, because I've only been doing this for about 6 months,
and it's felt very piecemeal (as in I am pretty sure there's a better way
to do it but I'm not familiar enough with it to figure it out yet).
Yes, I think we're running the embedded Tomcat as I start our cas with
Yeah, that's why I'm trying to get the chain included, so it will pass the
scanner. It works fine in any browser I test in, but we get a weekly scan
report and it keeps coming up as chain invalid. Just trying to get it to
clear the scan. I'm about half a minute away from putting it behind a
Guessing that it has to do with how you brought it into the keystore?
This answer has details on how to import it as a chain into the
keystore:
https://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake/9300727#9300727
On 11/3/22 14:22,
Browsers will insert the intermediate certificates if they know them. So
you can't trust the browser. Scanners look for the chain with no prior
knowledge, and thus are more reliable in determining if you have
everything setup correctly.
On 11/3/22 12:47, Ray Bon wrote:
Michael,
I have not
Michael,
I have not run the embedded tomcat so I do not know where the logs are or if
they are the same in the console on startup.
When you are on the cas site, you can click the lock icon beside the url. You
can then get access to the certificate(s) and view them. (Steps vary a bit
between
Michael,
I assume you are running embedded tomcat and the process running tomcat has
read access to the .jks.
What certificate is being sent when you browse to cas/login?
Are there any log errors on tomcat startup or page access?
Ray
On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote:
Hello all,
I'm struggling with getting CAS to send the certificate chain properly and
wondering if maybe I'm using the wrong lines in the config.
Before this project I had:
server.ssl.key-store=file:/path/to/ssl/tomcat.jks
server.ssl.key-store-password=thepassword
After some googling, I added