I am importing certificate and key from my customer and creating PKCS12 certificate for tomcat. The tomcat is configured to use this certificate as keystore. Do I need to import CA certificates as well from customer? If yes why?
Asked
Active
Viewed 1,273 times
1 Answers
0
If the CA certificate issuing your certificate is a "root" CA certificate (i.e. it is self-signed), it doesn't matter: if a party verifying that certificate doesn't already have it in its trust anchors, nothing will make it trust it.
It is generally more useful when the CA certificate is an intermediate CA certificate. In this case, it is relevant for the server to present the full certificate chain (except the root CA, which would be optional for the reasons stated above). Since the remote party might not have these intermediate CA certificates as known trust anchors, but might trust the CA cert that issued that intermediate CA certificate, this makes them more likely to be able to build a chain of trust from their trust anchors to the certificate to verify.
Strictly speaking, you don't need to present the full chain, but doing so makes it more likely for your certificate to be accepted.
(This is more or less the same problem as in this question. In addition, you're talking about a PKCS#12 store, so you would generally import the CA files in against the right "alias" (using the Java terminology) anyway.)
This being said, private keys should generally stay private. If you're trying to implement your own CA, there are mechanisms to do this in the browser, without sending the private key anywhere, which will let the user have a PKCS#12 file in return (if they choose to export their cert+key from there).
-
Hey that explains a lot to me :) Now, do i need to add intermediate certificates while creating my pkcs#12 certificate? Or I need to install them somewhere else. I think i should provide separate upload dialogue for uploading ca certificates to customer. – user3819236 Jul 17 '14 at 18:50
-
Yes, create the PKCS#12 file with the chain. What does it have to do with uploading CA certificates to customers? – Bruno Jul 17 '14 at 18:59
-
The customer is going to provide his certificate and key. I am developing product that will be installed in customer environment. So typically when customer provides cert and key from UI, I should also ask for CA certificate. – user3819236 Jul 17 '14 at 20:15
-
Ah sorry, I had misunderstood part of the question...I'd say it's generally bad practice to have such a service. A private key should stay private. – Bruno Jul 17 '14 at 21:11
-
Yeah that's true it must remain private. However the admin will configure this product so there is no harm in uploading the private key. But still even I think this should not be from UI. – user3819236 Jul 17 '14 at 22:16
-
For your last edit, The tomcat will still require private key after adding the certificate. Its more like customer is trying to configure the product's tomcat server to use his own certificate. Thats the reason he needs to upload private key. The other option would be to upload pkcs#12 certificate directly. – user3819236 Jul 18 '14 at 00:27
-
Oh I see, it's something that makes it more convenient to the admin of the Tomcat server... – Bruno Jul 18 '14 at 10:32