Hash: SHA1


On 4/10/2010 3:31 PM, /U wrote:
>    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="/users/me/.keystore" keystorePass="changeit"
>      />

Are you using APR (aka Tomcat native)?

> I have received the following keys/certs from CA:
>     - file1: private key for myhost
>     - file2: identity certificate for "myhost" signed by "CA1"
>     - file3: certificate for "CA1" signed by "entrust"
> I installed private key (file1) and "myhost" cert (file2) into
> /users/me/.keystore
> using the ImportKey utility.
> I installed the CA1's certificated into "/users/me/.keystore" using keytool.
> My keytool lookslike this:
>    $ keytool -list -keystore /users/me/.keystore 
>    <...password...>

Heh... you mean it's not "changeit"? :)

>    Keystore type: JKS
>    Keystore provider: SUN
>    Your keystore contains 2 entries

Shouldn't that be 3 entries?

>    CA1, Apr 10, 2010, trustedCertEntry,
>    Certificate fingerprint (MD5):
> 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE
>    tomcat, Apr 10, 2010, PrivateKeyEntry, 
>    Certificate fingerprint (MD5):
> CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50

What about the "entrust" one?

> I did not install any certificates into truststore
> (jre/lib/security/cacerts).
> When I connect browser to https://myhost, i get a cert error that
>     "myhost" is signed by "CA1"and cannot be trusted.
> Browser show only one cert (for "myhost") and not show the full
> cert chain ("myhost" -> "CA1" and "CA1" -> entrust).
> Why is the full cert chain not sent to browser.

Because you haven't provided the whole certificate chain to Tomcat.
Tomcat can only send what it already has.

> Since "entrust" CA cert is in browser CA list, if tomcat send full cert
> chain
> to browser, it would be trusted.

Maybe, maybe not. It's possible that the real cert chain goes like this:

myhost -> CA1 -> Entrust -> Entrust Global

If your browser only knows about the "Entrust Global" cert, then your
chain is broken.

Did you follow the instructions on Entrust's web site?

(for chain certs)

(for bare certs, I guess)

Perhaps they are the ones to ask about this.

You might want to ask why they don't "support" a version of Tomcat after

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to