2

When I create an SSLServerSocket in Java 7 the server correctly uses my server certificate and key. The certificate was issued by a sub-ca of a ca. Therefore the complete chain from the root cert to the server cert has four certificates. The complete chain is present in the keystore/truststore.

However when a client connects the server always sends only the server certificate itself. This also applies to Java based web servers like Jetty.

Because most clients have only the root ca certificate installed and not the two sub-ca certificates this is a big problem.

How can I force Java to send the full certificate chain in the SSL/TLS handshake?

Robert
  • 39,162
  • 17
  • 99
  • 152
  • Have you configured this entry in your keystore with the entire chain itself (as described in [this question](http://stackoverflow.com/a/9300727/372643))? – Bruno Oct 08 '12 at 08:48
  • The complete chain is present in the keystore - I updated that detail in my question. – Robert Oct 08 '12 at 09:08
  • Just to clarify, I don't just mean having the full chain in the keystore, I mean having the full keychain in the right entry in the keystore (the one that also has the private key). – Bruno Oct 08 '12 at 09:12
  • Sorry but I don't understand you question. What do you mean with "keychain"? There is only one key needed - the one for the ssl certificate. – Robert Oct 08 '12 at 09:25
  • Sorry, typo, I just meant "chain". You need the full chain imported in the same entry in the keystore, having the certificates that form the chain in different entries isn't enough. (Have you followed the procedure described [here](http://stackoverflow.com/a/9300727/372643)?) – Bruno Oct 08 '12 at 09:26
  • OK, now I understand. Pretty complex that you can have multiple entries in the keystore and each of them has multiple certificates. The link was really helpful. Post everything as answer and I will accept it. – Robert Oct 08 '12 at 13:19

1 Answers1

5

A key entry in a keystore isn't just for a single certificate, but for a certificate chain (see KeyStore.setKeyEntry, which takes a Certificate[] chain parameter).

If you want a specific chain to be used, it needs to be set up as a chain in the entry where you have the certificate and its private key. Whether the intermediate certificates are also in the same keystore, in different entries doesn't really matter.

This is a very similar problem to getting a client to send the full client-certificate chain. The same keystore configuration steps should also work from a server point of view, as described in this question.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376