Re: Valid certificate chain failing with "unable to find valid certification path to requested "

Fri, 04 Apr 2014 16:49:58 -0700 

Chris,

On 4.4.2014 16:27, Christopher Schultz wrote:

So they don't have a big "Daddy" certificate that has signed all of
their intermediate certificates? Boo. That would fix nearly everything.



Actually, having different root certificates, one for SHA-1, and one for 
SHA-2 is recommended migration practice in order to dicth all SHA-1 
certificates at some point in time, for security reasons.




FTR, GoDaddy or any other CA can't just "add" certificate to Java
root certificates, but it must apply at Oracle for inclusion.


If the problem is that the client trusts GoDaddy's ROOT certificate
and the server's certificate was signed by GoDaddy's intermediate
certificate (which should have been in turn signed by the ROOT
certificate), then the solution is to include the intermediate
certificate (or certificates... some CAs have longer chains) in your
keystore and configure Tomcat to serve both the server's cert and the
intermediate cert.



Configuration for JSSE connectors is somewhat different than APR. For 
JSSE, you don't configure Tomcat to serve intermediate certificates, but 
you import them to your keystore before you import server certificate. 
By doing so, JSSE will serve the complete certificate chain to the client.





This is what I think is the relevant part: [3]: ObjectId:
2.5.29.19 Criticality=true BasicConstraints:[ CA:false
PathLen:2147483647 ]


It just says that server certificate you have cannot be used to
sign other certificates, nothing else. That is irrelevant for you.


Depending upon where this came from (there was no context given), you
are correct. If this is information from the GoDaddy certificate, then
it's likely an intermediate certificate and not a root cert.



x.509v3 Basic Constraints CA:true means that the certificate may sign 
other certificates. It would be impossible that GoDaddy signing 
certificate (either root or intermediate) have CA set to false. 
Therefore I assumed the information is about server certificate.


-Ognjen


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
























					Reply via email to