-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ashish,
On 11/17/11 10:08 AM, Ashish Kulkarni wrote: > I had to deal with this issue in Websphere, got Thwate certificate > and no matter what i was not able to get the primary and secondary > certificate to work in IE browser, only in Firefox and chrome, > finally i got a certificate from Verisign and it works well in IE > and chrome but not in firefox, this certificate business is very > murky with these companies making deals with browser companies and > making our life difficult, I bet If you add the primary and > intermediate certificate to IE browser it will work fine, if there > is another web service who needs to call this then that web service > must know all the 3 certificates to authenticate your certificate Nobody's really making deals with anyone. The difference is in exactly which root certificates ship with each web browser. Over the last few years, many CAs have started offering different flavors of cert such as EV, etc. and they have introduced new top-level certs for their new flavors. Since they are new top-level certs, they should be trusted by every web browser, but not everyone updates their certificate stores, etc. So, they signed their new top-level certificates with their old top-level certs so that older browsers wouldn't puke. In order to make everything work, you have to have the full certificate chain. Evidently, you are missing a piece that MSIE requires in one case, and another piece that ff/chrome require in the other. Basically, if you have all the certificates you need (sometimes you may need more than one intermediate certificate), then everything will work. I've never done much with Java's keystores, but working with httpd has been easy: just concatenate all the certs together into one large file and you're done. I'm sure a similar thing can be done with a keystore. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7FbKkACgkQ9CaO5/Lv0PBjPACgwFeo9gsLaVVBM7ZwitrpPpdo us4An06M9ly4tPUA7STJ+xRPqQpL/oZ2 =ZyAE -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
