Re: X.509 cert not exporting CA chain?

From: "R@nsh!" <ran.sheNOThar@gmail~.com>
Date: Sun, 29 Jun 2008 14:54:44 -0700

Ronny Schuetz wrote:

Hi,

The cert that was imported to the keystore reports:
C:\Program Files\Java\jre1.6.0_05\bin>keytool -printcert -file my.cert.clean
Certificate[1]:
Owner: EMAILADDRESS=ran.shenhar@xxxxxxxxxxxx, CN=Ran Shenhar, GIVENNAME=Ran, SUR
NAME=Shenhar
Issuer: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd.,
C=ZA

Might be, but this is not the certificate used by Tomcat, as the subject as well as the issuer shown by the openssl client are different from the values shown by keytool. Either Tomcat is using a different keystore or the keystore contains multiple certificates and Tomcat is using a wrong one as identity certificate for whatever reason.

I'd recommend to use keytool to list the content of the keystore (-list command) to check, if there are any other certificates and to find out the alias of the Thawte signed certificate to compare this with the Tomcat configuration.

Hope that helps,
Ronny

Thanks - there were indeed 2 certs, so I deleted one.
openssl s_client -connect 66.166.204.121:8443 -showcerts
CONNECTED(00000003)
depth=2 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@xxxxxxxxxx
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/SN=Shenhar/GN=Ran/CN=Ran Shenhar/emailAddress=ran.shenhar@xxxxxxxxxxxx
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte Personal Freemail Issuing CA
<snipped>

FF3 gives me Error code: sec_error_untrusted_issuer, IE7 won't even connect.
Any ideas?
.

Follow-Ups:
- Re: X.509 cert not exporting CA chain?
  - From: Ronny Schuetz

References:
- X.509 cert not exporting CA chain?
  - From: R@nsh!
- Re: X.509 cert not exporting CA chain?
  - From: Ronny Schuetz
- Re: X.509 cert not exporting CA chain?
  - From: R@nsh!
- Re: X.509 cert not exporting CA chain?
  - From: Ronny Schuetz

Prev by Date: Re: Timer Schedule TimerTask for same hour every day
Next by Date: Re: Applet Scrollbar and KeyListener
Previous by thread: Re: X.509 cert not exporting CA chain?
Next by thread: Re: X.509 cert not exporting CA chain?
Index(es):
- Date
- Thread

Relevant Pages

Re: Tomcat & SSL & a certificate generated by Verisign
... Can I extract the certificate from a kdb file, ... That's why no commercial sites run HTTPS on Tomcat. ...
(comp.lang.java.programmer)
Tomcat & SSL & a certificate generated by Verisign
... Attempting to SSL enable tomcat 4.04. ... works fine when I create a keystore with a self generated certificate. ... We now want to cutover using a production certificate. ...
(comp.lang.java.programmer)
Re: Tomcat & SSL & a certificate generated by Verisign
... That's why no commercial sites run HTTPS on Tomcat. ... What you should have actually created was a CSR: Certificate Signing ... Try downloading the documentation fork of the Tomcat version you're ... seek out the SSL how-tos. ...
(comp.lang.java.programmer)
Re: X.509 cert not exporting CA chain?
... Might be, but this is not the certificate used by Tomcat, as the subject as well as the issuer shown by the openssl client are different from the values shown by keytool. ... Either Tomcat is using a different keystore or the keystore contains multiple certificates and Tomcat is using a wrong one as identity certificate for whatever reason. ...
(comp.lang.java.programmer)
HTTPS design question
... We have a tomcat servlet container which runs in the context of HTTPS. ... the tomcat environment (this certificate has the expiration date as well). ... The client certificates are stored in the client ... self signed certificate and authenticate the user to access the servlet ...
(microsoft.public.inetserver.iis.security)