X.509 cert not exporting CA chain?
in [Java Help]
|
Prev: varibles of class type
Next: Slutty Girlfriends
From: R on 29 Jun 2008 10:18 Hi, Got an X.509 certificate from Thawte. Manipulated it as described here: http://www.dallaway.com/acad/webstart/, so that now the CA reply is in my "keystore.ks". When I tell Tomcat to use this as my keystore, it loads and everything, BUT it shows as "self signed" - no mention that the cert comes from Thawte, which kinds of defeat the purpose... See https://66.166.204.121:8443/managementtool/ for the exact message. Anything wrong with the way I did the certificate request / import / export? Thanks,
From: Ronny Schuetz on 29 Jun 2008 12:21 Hi, > When I tell Tomcat to use this as my keystore, it loads and everything, > BUT it shows as "self signed" - no mention that the cert comes from > Thawte, which kinds of defeat the purpose... > See https://66.166.204.121:8443/managementtool/ for the exact message. Your server is definitely using a self-signed certificate: openssl s_client -connect 66.166.204.121:8443 -showcerts .... --- Certificate chain 0 s:/C=US/ST=CA/L=Cupertino/O=Mobixell.com/OU=Mobixell/CN=Ran Shenhar i:/C=US/ST=CA/L=Cupertino/O=Mobixell.com/OU=Mobixell/CN=Ran Shenhar .... Probably you need to specify the alias of the Thawte signed certificate and key in the keystore somewhere in Tomcat to select the right certificate to use. Ronny
From: R on 29 Jun 2008 13:24 Ronny Schuetz wrote: > Hi, > >> When I tell Tomcat to use this as my keystore, it loads and >> everything, BUT it shows as "self signed" - no mention that the cert >> comes from Thawte, which kinds of defeat the purpose... >> See https://66.166.204.121:8443/managementtool/ for the exact message. > > Your server is definitely using a self-signed certificate: > > openssl s_client -connect 66.166.204.121:8443 -showcerts > ... > --- > Certificate chain > 0 s:/C=US/ST=CA/L=Cupertino/O=Mobixell.com/OU=Mobixell/CN=Ran Shenhar > i:/C=US/ST=CA/L=Cupertino/O=Mobixell.com/OU=Mobixell/CN=Ran Shenhar > ... > > Probably you need to specify the alias of the Thawte signed certificate > and key in the keystore somewhere in Tomcat to select the right > certificate to use. > > Ronny That's my problem exactly... The cert that was imported to the keystore reports: C:\Program Files\Java\jre1.6.0_05\bin>keytool -printcert -file my.cert.clean Certificate[1]: Owner: EMAILADDRESS=ran.shenhar(a)mobixell.com, CN=Ran Shenhar, GIVENNAME=Ran, SUR NAME=Shenhar Issuer: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd., C=ZA
From: Ronny Schuetz on 29 Jun 2008 14:12 Hi, > The cert that was imported to the keystore reports: > C:\Program Files\Java\jre1.6.0_05\bin>keytool -printcert -file > my.cert.clean > Certificate[1]: > Owner: EMAILADDRESS=ran.shenhar(a)mobixell.com, CN=Ran Shenhar, > GIVENNAME=Ran, SUR > NAME=Shenhar > Issuer: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting > (Pty) Ltd., > C=ZA Might be, but this is not the certificate used by Tomcat, as the subject as well as the issuer shown by the openssl client are different from the values shown by keytool. Either Tomcat is using a different keystore or the keystore contains multiple certificates and Tomcat is using a wrong one as identity certificate for whatever reason. I'd recommend to use keytool to list the content of the keystore (-list command) to check, if there are any other certificates and to find out the alias of the Thawte signed certificate to compare this with the Tomcat configuration. Hope that helps, Ronny
From: Ronny Schuetz on 29 Jun 2008 14:16
> I'd recommend to use keytool to list the content of the keystore (-list > command) to check, if there are any other certificates and to find out > the alias of the Thawte signed certificate to compare this with the > Tomcat configuration. Short add on, just in case: Might be that Tomcat needs to be restarted to pick up the new configuration or new certificate. Ronny |