Chris, AFAIK, current Comodo Elite SSL certificates are signed by a root certificate "UTN-UserFirst-Hardware Root CA". The UTN root cert seems to be supported by most browsers, but support by Sun JVM maybe more spotty. The most recent JDK 1.6 seems to support it, but double check your root store.
At some point in the past, with JDK 1.4 and 1.5, we had problems with Comodo SSL certificates, as JVM didn't know about Comodo's root certificate. Java SSL would throw an exception trying to connect via https to our server. Specifically, our software deployed via webstart was affected. The application would start fine because browser SSL implementation trusted Comodo's root, but the application itself would not connect to the server because Sun JVM did not trust Comodo's root. So, we had to use a Thawte certificate. Recently, with JDK 1.6 we started using the cheaper Comodo's certs without problems. (Back way in the past, Comodo used a different root, signed by GTE Cybertrust, which was again supported by ancient JVMs) To get a list of all root certificates trusted by your JRE or JDK, find its keystore of root certs named 'cacerts'. In a JRE, it's under lib/security and in a JDK it's under jre/lib/security. Issue the following command to get a list of all issuers. keytool -list -v -keystore cacerts |grep Issuer|sort The command will ask for a keystore password. Unless you've changed it, the default password is "changeit". If your JVM's cacert includes the following cert, then Comodo Elite SSL will be recognized. CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US ---------- Forwarded Message ---------- Subject: Re: [OT] Comodo as a CA Date: Saturday 26 April 2008 From: Christopher Schultz <[EMAIL PROTECTED]> To: Tomcat Users List <users@tomcat.apache.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anyone? Christopher Schultz wrote: | All, | | I'm asking the Tomcat community this because everyone always surprises | me with their wide customer experiences. | | I need to get new SSL certs for a domain name switch we're doing, soon. | VeriSign's SGC/EV SSL certs are ridiculously expensive and so I'm | looking for alternatives. Comodo offers a product that is | indistinguishable (to me) to VeriSign's SGC/EV cert, but it costs 1/4 as | much. | | Does anyone have any experience with Comodo? Specifically, has anyone | run across any customers whose browsers do not trust Comodo as a CA? | -- Nicholas Sushkin, Senior Software Engineer http://www.openfinance.com http://www.wealthinformationexchange.com
smime.p7s
Description: S/MIME cryptographic signature
