1

I'm pretty new to all this : but I'm trying to achieve the following:

  1. Create a 'Certificate Authority' (done : used openssl).
  2. Create a priv/pub key-pair for Tomcat (done : used keytool).
  3. Create a 'Certicate Signing Request' (done: used keytool).
  4. Carried out the 'Certificate Signing Request' (done: using openssl, signed with 'CA').
  5. Installed the CA (self-signed of course) back into my (default JDK's) Tomcat's keystore.
  6. Installed the resultant CA-signed-certificate back in the (default JDK's) Tomcat's keystore (keytool used for step 5 and 6).

So now my Tomcat (JDK default) keystore contains:

  1. My Private Key / Public Key Pair.
  2. The CA's public key/self-signed cert.
  3. My CA-Signed Certificate.

But when I contact my host with openssl: only the original Self-Signed Cert is (see below for the test and output).

How does Tomcat decide which cert-path to return in the SSL handshake ? Is it hardcoded to look for certs that have the subject 'tomcat' or something ?

I'm using JDK 1.6, using the JSSE, not APR option for Tomcat.

TEST showing only original self-signed cert is returned, not the cert-chain, including the CA.

openssl s_client -connect myhost:443 -showcerts

Gives:

CONNECTED(00000003)
depth=0 /C=ai/ST=all/L=virtualworldone/O=computers/OU=appserver/CN=tomcat
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=ai/ST=all/L=virtualworldone/O=computers/OU=appserver/CN=tomcat
verify return:1
---
Certificate chain
 0 s:/C=ai/ST=all/L=virtualworldone/O=computers/OU=appserver/CN=tomcat
   i:/C=ai/ST=all/L=virtualworldone/O=computers/OU=appserver/CN=tomcat
-----BEGIN CERTIFICATE-----
MIIDFjCCAtOgAwIBAgIEVAHmITALBgcqhkjOOAQDBQAwbjELMAkGA1UEBhMCYWkx
DDAKBgNVBAgTA2FsbDEYMBYGA1UEBxMPdmlydHVhbHdvcmxkb25lMRIwEAYDVQQK
Ewljb21wdXRlcnMxEjAQBgNVBAsTCWFwcHNlcnZlcjEPMA0GA1UEAxMGdG9tY2F0
MB4XDTE0MDgzMDE0NTYzM1oXDTE0MTEyODE0NTYzM1owbjELMAkGA1UEBhMCYWkx
DDAKBgNVBAgTA2FsbDEYMBYGA1UEBxMPdmlydHVhbHdvcmxkb25lMRIwEAYDVQQK
Ewljb21wdXRlcnMxEjAQBgNVBAsTCWFwcHNlcnZlcjEPMA0GA1UEAxMGdG9tY2F0
MIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9E
AMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f
6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv
8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtc
NrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwky
jMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/h
WuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGARLJHatLfQCV7HKKW9h4/sGPHHwK7
iGs6wEXeGBlE4J2NDpFJKe5yetWeHDTPCnW50ljZZiZ43jhO1kZyV27dBl/udA+z
xXessJnev5ureJCWrK8CEqKKnU8VneF7EcegjNQpJ85M4yhHW0G5J49wYZtFhDnq
EP5cRrUM6YflenAwCwYHKoZIzjgEAwUAAzAAMC0CFQCIuTbUq36Kq7lRMIy15Lt0
W+8AXgIUeepTbUyDcsU0nV/OYYIfuPVT2yM=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=ai/ST=all/L=virtualworldone/O=computers/OU=appserver/CN=tomcat
issuer=/C=ai/ST=all/L=virtualworldone/O=computers/OU=appserver/CN=tomcat
---
No client certificate CA names sent
---
SSL handshake has read 1284 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-DSS-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-DSS-DES-CBC3-SHA
    Session-ID: 540204AA630D80A7000E9AEC0AE738E6F0FCCC9EAE1D64F69956BCDFFADAC23A
    Session-ID-ctx:
    Master-Key: 338FCE3A028B2E8DFBF57F99609A6056973FB3D62722C192DF52F38B5A1FFDDAF79AD52327C18E7D99C226D34918D646
    Key-Arg   : None
    Start Time: 1409418410
    Timeout   : 300 (sec)
monojohnny
  • 5,894
  • 16
  • 59
  • 83
  • posting ur certificate here is not so smart. – theodore hogberg Aug 30 '14 at 17:51
  • 1
    it's fine. Public Key. – monojohnny Aug 30 '14 at 18:03
  • OK: using a graphical tool (KeyStore Explorer) I noticed that I have the option 'Import CA Reply' : this works. Not sure what it did to the keystore, or how it influenced Tomcat to deliver the correct chain - but it worked it seems....leaving question open for further input. – monojohnny Aug 30 '14 at 18:06
  • ok, forget what I said :) – theodore hogberg Aug 30 '14 at 18:22
  • 1
    Just closed as a duplicate. If you think this isn't a duplicate of that question, feel free to comment (we can re-open). The solution is very similar to [this answer](http://stackoverflow.com/a/9300727/372643) too (linked from the duplicate). Perhaps [this question](http://stackoverflow.com/q/24974324/372643) might also be of interest. – Bruno Aug 30 '14 at 19:27
  • THanks Bruno - I'll take a look at the other post - I think it must be similar (if not in fact the same) : in fact using the graphical tool and specifiying exactly 'import csr reply' seems to work just fine for me. – monojohnny Aug 30 '14 at 20:43

0 Answers0