Ognjen,
You were correct. The GoDaddy GA2 certificate was not in the root distributions. I re-keyed it to GA1 and that fixed the problems. Thank you all. Jeff Crump Sent from Windows Mail From: Ognjen Blagojevic Sent: Friday, April 4, 2014 3:14 AM To: Tomcat Users List On 4.4.2014 5:23, Toby Lazar wrote: >> I've run my client program with the -Djavax.net.debug=all option. First it >> listed out all of the trusted authorities. Mine is GoDaddy and this is the >> record: >> > > That one is not the issuer of your certificate. GoDaddy has many issuing > certificates. The GoDaddy certificate the client trusts expires in 2034 > whereas your issuer certificates expire in 2031/2037. Also, the DNs are > different. Better to identify the trusted certificate by serial number and > subject key identifier. +1. It seems to be known issue with GoDaddy G2 certificate: http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java "[GoDaddy] have 2 CA servers, one called Class 2 CA and the other called G2 CA. Their Class 2 CA signs all SHA-1 certificates, while the G2 CA signs all their SHA-2 certificates. This is where the problem lies - GoDaddy has not added their newer G2 CA server to the default java truststore - causing default java installations to not trust it's authority, and hence, does not trust your chained certificate. The work-around until GoDaddy adds the G2 CA server to the default truststore is to simply rekey your cert using SHA-1 as-to get a cert signed by the Class 2 CA server. Rekeying is free for GoDaddy customers until your cert expires (obviously)." FTR, GoDaddy or any other CA can't just "add" certificate to Java root certificates, but it must apply at Oracle for inclusion. >> This is what I think is the relevant part: >> [3]: ObjectId: 2.5.29.19 Criticality=true >> BasicConstraints:[ >> CA:false >> PathLen:2147483647 >> ] It just says that server certificate you have cannot be used to sign other certificates, nothing else. That is irrelevant for you. -Ognjen --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
