-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tad,
On 3/10/16 5:12 PM, Tad Marko wrote: > On Thu, Mar 10, 2016 at 3:59 PM, Christopher Schultz > <ch...@christopherschultz.net> wrote: >> Tad, >> >> On 3/10/16 4:03 PM, Tad Marko wrote: >>> Is it possible to tell tomcat to NOT send the root for a >>> certificate chain? >> >> Yep. >> >> ... >> >> Just remove the root cert from your keystore, and Tomcat will >> stop sending it. >> >> If you have further questions, please post the output of the >> following command in your next post: >> >> $ keytool -keystore <keystore> -list >> > > The CA is not in my keystore: > > Keystore type: JKS Keystore provider: SUN > > Your keystore contains 3 entries > > my.domain.tld, Mar 10, 2016, PrivateKeyEntry, Certificate > fingerprint (SHA1): > AE:DB:AF:8D:19:D6:38:D8:EB:5A:C1:5D:E6:D2:C4:8B:5F:58:84:6F > intermed, Mar 10, 2016, trustedCertEntry, Certificate fingerprint > (SHA1): > 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 cross, > Mar 10, 2016, trustedCertEntry, Certificate fingerprint (SHA1): > 34:0B:28:80:F4:46:FC:C0:4E:59:ED:33:F5:2B:3D:08:D6:24:29:64 And what tool is telling you that the root cert is being served along with the server and intermediate certs? So the cert chain goes like this? server <- intermediate <- cross < CA (not present in keystore) ? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlbh86MACgkQ9CaO5/Lv0PBH1QCfWroMlqsA1UEZmhW8R9/RGn/P uJEAn0OpPeDIqaJ2qXPez8w9fdoIs4qB =3MRE -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
