You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Victor Yegorov <vi...@nordlb.lv> on 2005/04/08 17:49:24 UTC
Problem with Thawft intermediate certificate config
Hi.
We're using Thawte-signed certificate for our web site. This year (March)
they have used a newer intermediate certificate to sign our request. Also,
they asked us to add that intermediate certificate to the Apache's
SSLCertificateChainFile directive. And all is working great in Apache.
But a bit earlier, in the February, we've migrated to the Tomcat 5.0.28,
Apache is going to be deinstalled after a while.
The problem is --- I cannot configure Tomcat so, that he would work just like
Apache, at the moment all browsers show me "Unknown certificate" warning.
I've tried various combinations of verisign, thawte and our certificates
beeing in both keystores used here. I've tried changing aliases -- it doesn't
helps. And I cannot find a good article/document on how to config Tomcat for
using intermediate certificates.
The certificate chain is: verisign -> thawte -> mpi (our host).
Neither verisign's CA, nor thawt's intermediate certificates are found in
browsers' list of know CAs.
Can you, please, assist me with setting up our Tomcat server? Thanks.
Here's a part of my server.xml:
> <Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
> port="443"
> minProcessors="5"
> maxProcessors="75"
> enableLookups="true"
> acceptCount="100"
> debug="0"
> scheme="https"
> secure="true"
> useURIValidationHack="false"
> disableUploadTimeout="true"
> clientAuth="false"
> sslProtocol="TLS"
> keystoreFile="certs/mpi.keystore"
> keystorePass="..."
> truststoreFile="certs/intermediate.keystore"
> truststoreType="JKS"
> truststorePass="..." />
and here what both mentioned keystores contain:
1) mpi.keystore
> Your keystore contains 3 entries:
>
> Alias name: subca
> Creation date: Tue Mar 29 11:59:34 EEST 2005
> Entry type: trustedCertEntry
>
> Owner: CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
> Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
> Serial number: 30000002
> Valid from: Thu May 13 03:00:00 EEST 2004 until: Tue May 13 02:59:59 EEST 2014
> Certificate fingerprints:
> MD5: 84:84:03:56:10:85:53:ED:9A:CA:60:B5:FA:99:D3:31
> SHA1: EC:07:10:03:D8:F5:A3:7F:42:C4:55:7F:65:6A:AE:86:65:FA:4B:02
>
>
> *******************************************
> *******************************************
>
>
> Alias name: cacert
> Creation date: Tue Mar 29 11:59:44 EEST 2005
> Entry type: trustedCertEntry
>
> Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
> Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
> Serial number: 70bae41d10d92934b638ca7b03ccbabf
> Valid from: Mon Jan 29 02:00:00 EET 1996 until: Wed Aug 02 02:59:59 EEST 2028
> Certificate fingerprints:
> MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
> SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
>
>
> *******************************************
> *******************************************
>
>
> Alias name: sslcertificate
> Creation date: Tue Mar 29 09:12:08 EEST 2005
> Entry type: keyEntry
> Certificate chain length: 1
> Certificate[1]:
> Owner: EmailAddress=lazarenk@nordlb.lv, CN=mpi.nordlb.lv, OU=IT Department, O=NORD/LB Latvija, L=Riga, ST=Riga, C=LV
> Issuer: CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
> Serial number: 20f1a6
> Valid from: Thu Mar 03 18:59:28 EET 2005 until: Thu Mar 23 14:12:02 EET 2006
> Certificate fingerprints:
> MD5: AB:EE:BD:41:69:3C:40:BD:04:DE:BD:89:5F:79:E9:A4
> SHA1: 07:DD:8B:B7:22:AF:DF:A9:42:B0:C9:11:4C:89:A2:F2:13:B6:22:88
>
>
> *******************************************
> *******************************************
2) intermediate.keystore
> Your keystore contains 2 entries:
>
> Alias name: thawft
> Creation date: Fri Apr 08 17:59:20 EEST 2005
> Entry type: trustedCertEntry
>
> Owner: CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
> Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
> Serial number: 30000002
> Valid from: Thu May 13 03:00:00 EEST 2004 until: Tue May 13 02:59:59 EEST 2014
> Certificate fingerprints:
> MD5: 84:84:03:56:10:85:53:ED:9A:CA:60:B5:FA:99:D3:31
> SHA1: EC:07:10:03:D8:F5:A3:7F:42:C4:55:7F:65:6A:AE:86:65:FA:4B:02
>
>
> *******************************************
> *******************************************
>
>
> Alias name: verisignca3
> Creation date: Fri Apr 08 17:56:55 EEST 2005
> Entry type: trustedCertEntry
>
> Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
> Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
> Serial number: 70bae41d10d92934b638ca7b03ccbabf
> Valid from: Mon Jan 29 02:00:00 EET 1996 until: Wed Aug 02 02:59:59 EEST 2028
> Certificate fingerprints:
> MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
> SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
>
>
> *******************************************
> *******************************************
Also, I've attached catalina.out with SSL debug information.
Waiting for your reply.
--
Victor Y. Yegorov
Software Developer, NORD/LB Latvija JSC
Phone (+371) 7077142, Mobile (+371) 9131883