Thank you Chris for your suggestion.

Here is my connector:

   <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/users/me/.keystore" keystorePass="changeit"

I have received the following keys/certs from CA:
    - file1: private key for myhost
    - file2: identity certificate for "myhost" signed by "CA1"
    - file3: certificate for "CA1" signed by "entrust"

I installed private key (file1) and "myhost" cert (file2) into
using the ImportKey utility.
I installed the CA1's certificated into "/users/me/.keystore" using keytool.
My keytool lookslike this:
   $ keytool -list -keystore /users/me/.keystore 
   Keystore type: JKS
   Keystore provider: SUN

   Your keystore contains 2 entries

   CA1, Apr 10, 2010, trustedCertEntry,
   Certificate fingerprint (MD5):
   tomcat, Apr 10, 2010, PrivateKeyEntry, 
   Certificate fingerprint (MD5):

I did not install any certificates into truststore

When I connect browser to https://myhost, i get a cert error that
    "myhost" is signed by "CA1"and cannot be trusted.
Browser show only one cert (for "myhost") and not show the full
cert chain ("myhost" -> "CA1" and "CA1" -> entrust).
Why is the full cert chain not sent to browser.
Since "entrust" CA cert is in browser CA list, if tomcat send full cert
to browser, it would be trusted.

Also, when I use openss client, I see that full cert chain is not sent:
   C:\>  openssl s_client -connect myhost:443

   verify error:num=21:unable to verify the first certificate
   verify return:1
   Certificate chain
     0 s:/C=US/ST=YY/L=XX/O=myhost Inc./OU=IT/CN=myhost
     i:/C=US/O=CA1, Inc./ is incorporated by reference/OU=...,
Inc./CN=CA1Certification Authority 

Why does this chain not have CA1->entrust certificate.
what i do wrong? should all CA certs be in truststore?

what is the defaulttruststore of tomcat? what is difference between
"truststore" and 
"keystore". is it correct to say all CA certs be in "truststore" and private
key and identity cert
be in "keystore"?

many thanx,


Christopher Schultz-2 wrote:
> Hash: SHA1
> /U,
> On 4/10/2010 12:01 AM, /U wrote:
>> i am installing certificate chain on tomcat 6.x (JRE 1.6). From my CA I
>> have
>>     private key (PEM), 
>>     identity cert (PEM)  (CA X trusts myhost)
>>    and a cert chain file (PEM file) (entrust trusts CA X)
>> The cert chain is: (entrust) === trusts ==> (CA X) == trusts ==> myhost
>> I have converted the private  key and identify cert into DER form
>> and have imported into /etc/keystore (tomcat's keystore).
> Tomcat does not use /etc/keystore unless you tell it to do so. Can you
> show us your server.xml, specifically your SSL <Connector> element?
> - -chris
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla -
> =/uks
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to