Hi all, I just want to clarify something that I've been seeing behave differently on various Java versions during the years. In case we have the following setting:
-Djavax.net.ssl.trustStore=/keystore/truststore.jks" in Tomcat's default config file, is JVM suppose to fall back to the global CA store on the server under /etc/ssl/certs for verification in case *any* of the certificates returned by a trusted domain are not present in the above JKS store? By any I mean, all the certs in the chain returned by the SSL handshake. For example, lets say we have a situation like this: DigiCert Global Root G2 -> RapidSSL TLS RSA CA G1 -> CN=*.mydomain.com Lets say I have imported the *CN=*.mydomain.com <http://mydomain.com>* certificate in the truststore.jks, the question is is JVM going to look under /etc/ssl/certs for RapidSSL in order to validate the CN signature and then for DigiCert to validate the RapidSSL cert? As I said I had a mixed luck with this over the years, sometimes it works as (I) expect it to work i.e. verify the certs by looking at the system CA store and sometimes this is not the case. Thanks for any help/insites. Igor
