On 5/23/23 8:31 AM, Christopher Schultz wrote:
Can you dump the whole cert (e.g. keytool -list -v -alias 'certname') for each cert and see if any of the certificates specify a maximum chain length somewhere? Evidently, it's an extension to the X.509 spec:
Comparing one that worked with one that blew up, they have the same values for all of the "basic constraints" sections: the site cert shows
BasicConstraints:[ CA:false PathLen: undefined ]
the intermediate cert shows
BasicConstraints:[ CA:true PathLen:0 ]
and the root cert shows
BasicConstraints:[ CA:true PathLen: no limit ]
As I said last week, given that (1) I could not reproduce the problem in four different attempts, and (2) the file size on the "problem" keystore changed when the keystore was sent to the customer box, *and then changed back* when I sent it back, I'm chalking this up to an extremely freaky fluke.
But thanks, Christopher, for taking a look at the problem. -- JHHL --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
