On 3/19/20 12:26 PM, Christopher Schultz wrote:
In case(2) can you show us what certificates are present in your keystore?

Something like:

$ keytool -verbose -list -keystore server.jks

Dear Mr. Schultz, et al:

Actually, at least with the version of keytool I have, it would be more like:
"keytool -list -v -keystore frobozz.ks"

I was about to send (off-List, marked "CONFIDENTIAL") dumps of an "incomplete chain" keystore that nonetheless had all the certs it needed, and one that wasn't giving the error (as a control), when I spotted something in the dumps myself:

Your keystore contains 3 entries

Alias name: wintouch
Creation date: Oct 15, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1

Your keystore contains 3 entries

Alias name: wintouch
Creation date: Apr 2, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 3

I had earlier noticed that the alias for the intermediate cert was not the same as what the site cert cited as its signer, and so I had tried changing the alias (with no effect). (I generally use a product called KeyStore Explorer for everything but initial generation of the keystore, and found it had a "rename" function.)

I looked at both the "problem" and "control" keystores in KSE, and found that even though both keystores were "complete-to-root," if I pulled up the "certificate chain details" on them, the "control" KS showed a complete-to-root chain, while the "problem" KS showed only the site cert.

So I tried re-importing the CA reply (in KSE), on the copy that had the renamed intermediate cert. No effect. So then I went back to the self-signed KS, and re-imported everything again, fixing the alias as I went along. Still no effect.

But in the process, I noticed a menu option I'd never noticed before: "Edit Certificate Chain." Which turned out to be a sub-menu with "Append" and "Remove" options. I tried the "Append" option, and BINGIE, it was showing the intermediate CA in the chain (at least in KSE).

As I type this, I just now squirted the latest iteration of the KS over to the customer's box, swapped it into place, and restarted Tomcat. Now, the SSLLabs report shows an "A" rating, with the intermediate in the chain. BINGIE!


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to