You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Dipl.-Ing. Mag. Bernhard Hobiger" <be...@htl-klu.at> on 2011/05/23 10:53:03 UTC
SLL Certificate Chain
Hi,
I am running Tomcat 6.0.18 64bit on Windows Server 2008 R2 Enterprise. I obtained a certificate for my server from StartCom, installed it and configured the Connector. The server, intermediate and root certificates are in a keystore file. So far all went fine, except for one problem: Tomcat sends only the server certificate, not the whole certificate chain. This means that Firefox (all newer versions) thinks the certificate is invalid.
I tried to import the StartCom certificates into the default keystore cacerts, no difference. The problem is not that Tomcat cant validate the certificate, but that the intermediate certificate is not sent (verified with Wireshark).
I tried to set all entries in logging.properties to ALL, but I dont get anything in my logs. Has anyone encountered the same behaviour?
server.xml:
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat.keystore"
keystorePass="..."
keyAlias="intern"
clientAuth="false" sslProtocol="TLS" />
keytool -list -keystore tomcat.keystore:
Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 3 Einträge.
startcom.ca.sub, 23.05.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
startcom.ca, 23.05.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
intern, 23.05.2011, PrivateKeyEntry,
Zertifikatsfingerabdruck (MD5): 30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C
keytool -list -v -keystore tomcat.keystore: (output shortened)
Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 3 Einträge.
Aliasname: startcom.ca.sub
Erstellungsdatum: 23.05.2011
Eintragstyp: trustedCertEntry
Eigner: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Seriennummer: b
Gültig von: Wed Oct 24 22:57:08 CEST 2007 bis: Mon Oct 22 22:57:08 CEST 2012
Digitaler Fingerabdruck des Zertifikats:
MD5: 4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
SHA1: A9:C3:A1:41:78:DF:B2:B1:D1:94:1D:5E:3F:56:DA:FA:E2:E1:40:37
Unterschrift-Algorithmusname: SHA1withRSA
Version: 3
...
*******************************************
*******************************************
Aliasname: startcom.ca
Erstellungsdatum: 23.05.2011
Eintragstyp: trustedCertEntry
Eigner: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Seriennummer: 1
Gültig von: Sun Sep 17 21:46:36 CEST 2006 bis: Wed Sep 17 21:46:36 CEST 2036
Digitaler Fingerabdruck des Zertifikats:
MD5: 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
SHA1: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
Unterschrift-Algorithmusname: SHA1withRSA
Version: 3
...
*******************************************
*******************************************
Aliasname: intern
Erstellungsdatum: 23.05.2011
Eintragstyp: PrivateKeyEntry
Zertifikatskettenlänge: 1
Zertifikat[1]:
Eigner: EMAILADDRESS=postmaster@htl-klu.at<ma...@htl-klu.at>, CN=intern.htl-klu.at, OU=StartCom Verified Certificate Member, O=Bernhard Hobiger, L=Klagenfurt, ST=Karnten, C=AT, OID.2.5.4.13=165616-YmmhPnif68b3zfKu
Aussteller: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Seriennummer: 1a3d
Gültig von: Thu Mar 18 09:26:36 CET 2010 bis: Mon Mar 19 00:20:28 CET 2012
Digitaler Fingerabdruck des Zertifikats:
MD5: 30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C
SHA1: AD:21:D5:1B:83:BB:DF:A7:61:BA:BD:E0:F9:7A:13:8B:F9:EF:8A:CC
Unterschrift-Algorithmusname: SHA1withRSA
Version: 3
...
*******************************************
*******************************************
Re: SLL Certificate Chain
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To whom it may concern,
On 5/23/2011 4:53 AM, Dipl.-Ing. Mag. Bernhard Hobiger wrote:
> I am running Tomcat 6.0.18 64bit on Windows Server 2008 R2
> Enterprise. I obtained a certificate for my server from StartCom,
> installed it and configured the Connector. The server, intermediate
> and root certificates are in a keystore file. So far all went fine,
> except for one problem: Tomcat sends only the server certificate, not
> the whole certificate chain. This means that Firefox (all newer
> versions) thinks the certificate is invalid.
>
> I tried to import the StartCom certificates into the default keystore
> cacerts, no difference. The problem is not that Tomcat cant validate
> the certificate, but that the intermediate certificate is not sent
> (verified with Wireshark).
I haven't done much work with SSL certs in Java, but I wonder what would
happen if you imported all of the certs, together, into a single alias
in your cert store. Have you tried that, or did you import each cert
(yours, intermediate, etc.) into separate certs within the cert store?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3azXsACgkQ9CaO5/Lv0PAi/gCgrrgCcDCHueT7EMNRR0jlL4JM
6A4AmwRnCsI6TLCGAkvjxuIj0C0vQhZz
=9NOA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SLL Certificate Chain
Posted by "Dipl.-Ing. Mag. Bernhard Hobiger" <be...@htl-klu.at>.
Thanks Christopher Schultz and Crypto Sal for your replies!
The key hint was the certificate chain length. My problem seemed to be that I got the server certificate as PKS12 file (including the private key). I imported it using "-importkeystore -srcstoretype PKCS12". "-trustcacerts" doesnt seem to have any effects with "-importkeystore". Since the PKS12 file containd only the server certificate, it was imported with certificate chain length 1.
So here is what worked for me:
I converted the root and intermediate certificates to human readable form by importing them into a keystore and then exporting them again using "-export -rfc".
I imported my server certificate into a new keystore and adapted alias and passwords for use with my Tomcat configuration
I exported the server certificate again using "-export -rfc"
I opened the newly created export file of my server certificate and inserted the contents of the intermediate and the root certificates at the bottom of the file. This created a valid certificate chain in PKCS7 format.
I imported the altered certificate file into the same keystore using the same alias. This replaced the single certificate with the complete certificate chain (private key remained unaltered).
Now I have a valid keystore with my server certificate and the intermediate and root certificates and the certificate chain length is 3. Tomcat deliveres the chain correctly and I finally got rid of the annoying security warnings in Firefox.
Thanks for your help!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SLL Certificate Chain
Posted by Crypto Sal <cr...@gmail.com>.
On 05/23/2011 04:53 AM, Dipl.-Ing. Mag. Bernhard Hobiger wrote:
> Hi,
>
> I am running Tomcat 6.0.18 64bit on Windows Server 2008 R2 Enterprise. I obtained a certificate for my server from StartCom, installed it and configured the Connector. The server, intermediate and root certificates are in a keystore file. So far all went fine, except for one problem: Tomcat sends only the server certificate, not the whole certificate chain. This means that Firefox (all newer versions) thinks the certificate is invalid.
>
> I tried to import the StartCom certificates into the default keystore cacerts, no difference. The problem is not that Tomcat cant validate the certificate, but that the intermediate certificate is not sent (verified with Wireshark).
>
> I tried to set all entries in logging.properties to ALL, but I dont get anything in my logs. Has anyone encountered the same behaviour?
>
> server.xml:
> <Connector protocol="org.apache.coyote.http11.Http11Protocol"
> port="443" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 6.0\tomcat.keystore"
> keystorePass="..."
> keyAlias="intern"
> clientAuth="false" sslProtocol="TLS" />
>
>
> keytool -list -keystore tomcat.keystore:
>
>
> Keystore-Typ: JKS
> Keystore-Provider: SUN
> Ihr Keystore enthält 3 Einträge.
> startcom.ca.sub, 23.05.2011, trustedCertEntry,
> Zertifikatsfingerabdruck (MD5): 4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
> startcom.ca, 23.05.2011, trustedCertEntry,
> Zertifikatsfingerabdruck (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
> intern, 23.05.2011, PrivateKeyEntry,
> Zertifikatsfingerabdruck (MD5): 30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C
>
> keytool -list -v -keystore tomcat.keystore: (output shortened)
>
>
> Keystore-Typ: JKS
> Keystore-Provider: SUN
> Ihr Keystore enthält 3 Einträge.
> Aliasname: startcom.ca.sub
> Erstellungsdatum: 23.05.2011
> Eintragstyp: trustedCertEntry
> Eigner: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
> Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
> Seriennummer: b
> Gültig von: Wed Oct 24 22:57:08 CEST 2007 bis: Mon Oct 22 22:57:08 CEST 2012
> Digitaler Fingerabdruck des Zertifikats:
> MD5: 4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
> SHA1: A9:C3:A1:41:78:DF:B2:B1:D1:94:1D:5E:3F:56:DA:FA:E2:E1:40:37
> Unterschrift-Algorithmusname: SHA1withRSA
> Version: 3
> ...
> *******************************************
> *******************************************
>
> Aliasname: startcom.ca
> Erstellungsdatum: 23.05.2011
> Eintragstyp: trustedCertEntry
> Eigner: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
> Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
> Seriennummer: 1
> Gültig von: Sun Sep 17 21:46:36 CEST 2006 bis: Wed Sep 17 21:46:36 CEST 2036
> Digitaler Fingerabdruck des Zertifikats:
> MD5: 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
> SHA1: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
> Unterschrift-Algorithmusname: SHA1withRSA
> Version: 3
> ...
>
> *******************************************
> *******************************************
>
> Aliasname: intern
> Erstellungsdatum: 23.05.2011
> Eintragstyp: PrivateKeyEntry
> Zertifikatskettenlänge: 1
> Zertifikat[1]:
> Eigner: EMAILADDRESS=postmaster@htl-klu.at<ma...@htl-klu.at>, CN=intern.htl-klu.at, OU=StartCom Verified Certificate Member, O=Bernhard Hobiger, L=Klagenfurt, ST=Karnten, C=AT, OID.2.5.4.13=165616-YmmhPnif68b3zfKu
> Aussteller: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
> Seriennummer: 1a3d
> Gültig von: Thu Mar 18 09:26:36 CET 2010 bis: Mon Mar 19 00:20:28 CET 2012
> Digitaler Fingerabdruck des Zertifikats:
> MD5: 30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C
> SHA1: AD:21:D5:1B:83:BB:DF:A7:61:BA:BD:E0:F9:7A:13:8B:F9:EF:8A:CC
> Unterschrift-Algorithmusname: SHA1withRSA
> Version: 3
> ...
> *******************************************
> *******************************************
>
>
>
Hello,
Please take notice at the following lines in your output...
My German(?) isn't all that good, but I see this,
"Zertifikatskettenlänge: 1", which I know in English should read
something to the affect of... 'Certificate Chain Length'
This is why Tomcat (JSSE) is only serving up the one certificate (depth
0) and when I see this output, it would appear the '-trustcacerts' flag
was not used when importing the certificate(s). See this page for
reference [
http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
]
Here's also a blog posting from a fellow StartCom customer.
http://magictrevor.wordpress.com/2011/01/26/startssl-startcom-certificates-and-tomcat/
I hope this helps!
--Crypto.Sal
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org