-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ognjen,
On 4/4/14, 4:14 AM, Ognjen Blagojevic wrote: > On 4.4.2014 5:23, Toby Lazar wrote: >>> I've run my client program with the -Djavax.net.debug=all >>> option. First it listed out all of the trusted authorities. >>> Mine is GoDaddy and this is the record: >>> >> >> That one is not the issuer of your certificate. GoDaddy has many >> issuing certificates. The GoDaddy certificate the client trusts >> expires in 2034 whereas your issuer certificates expire in >> 2031/2037. Also, the DNs are different. Better to identify the >> trusted certificate by serial number and subject key identifier. > > +1. > > It seems to be known issue with GoDaddy G2 certificate: > > http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java > > > > "[GoDaddy] have 2 CA servers, one called Class 2 CA and the other > called G2 CA. Their Class 2 CA signs all SHA-1 certificates, while > the G2 CA signs all their SHA-2 certificates. This is where the > problem lies - GoDaddy has not added their newer G2 CA server to > the default java truststore - causing default java installations to > not trust it's authority, and hence, does not trust your chained > certificate. The work-around until GoDaddy adds the G2 CA server to > the default truststore is to simply rekey your cert using SHA-1 > as-to get a cert signed by the Class 2 CA server. Rekeying is free > for GoDaddy customers until your cert expires (obviously)." So they don't have a big "Daddy" certificate that has signed all of their intermediate certificates? Boo. That would fix nearly everything. > FTR, GoDaddy or any other CA can't just "add" certificate to Java > root certificates, but it must apply at Oracle for inclusion. If the problem is that the client trusts GoDaddy's ROOT certificate and the server's certificate was signed by GoDaddy's intermediate certificate (which should have been in turn signed by the ROOT certificate), then the solution is to include the intermediate certificate (or certificates... some CAs have longer chains) in your keystore and configure Tomcat to serve both the server's cert and the intermediate cert. >>> This is what I think is the relevant part: [3]: ObjectId: >>> 2.5.29.19 Criticality=true BasicConstraints:[ CA:false >>> PathLen:2147483647 ] > > It just says that server certificate you have cannot be used to > sign other certificates, nothing else. That is irrelevant for you. Depending upon where this came from (there was no context given), you are correct. If this is information from the GoDaddy certificate, then it's likely an intermediate certificate and not a root cert. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTPsFMAAoJEBzwKT+lPKRYrCkQALBDQmaPZfjy1bAwBGC36Yg9 fIqCeI37izMwCgaiGGSNw9mA6GUyJoEixzXorlD6kje/oroJveq/AEaBMZO6eWJ7 OSVqUbcFNFNF+waVSskIDU0+4eLZHYvAU5t8jAJpVy6Jenw0QHrYV3rt2OpE1w8w w+sFg7FvqYth4oHVsSmrnBP1ncA90Bpsv49AXlQUhKQ5ielGKfJVcciBNhNRbZiF atNQxcR+Xm++2mDJIx4l0sfS+XzEVY655QBpys02H051lfg1VeOMLroFtTdckhQZ ECsIGPs2Ue69T4wjByY+pPeQ9HW77kKurVgV6pUbZaGTdLNV0gQqHNBVj5hNdriN wNMZFFSWywnzX/UP+N1bbAfXm2Y4i8n7UQyQWIa+tY/74PzvUrIgZfYsxMeVM5Rz erZvyIQaVBN4zdPgL9nHQNb4bMza42apNrwWeOrZDLPwv23EOD0E4tO/nkg95+7W fobXN4+hQoK7s7PqKdkdIafwsnu7Kv1MFR+UatZ6evayOrE8k9MbQDQXYRZ1/5/N DOavfNOOe73+AeJDXcaDNprGjWvzCEUCXfCPv7b76j9pd+o4zm+LGYQLNYcrE8lJ uqXfgvijaRlDueNId7Qz+9wgkaZnUVtc/plyK47/4NjQ0RNgYWKvo2CAtvbBHR/u qrEmBVjQuLKEek1TDRiw =5CiA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
