Re: X.509 cert not exporting CA chain?

Discussion in 'Java' started by Ronny Schuetz, Jun 29, 2008.

  1. Hi,

    > When I tell Tomcat to use this as my keystore, it loads and everything,
    > BUT it shows as "self signed" - no mention that the cert comes from
    > Thawte, which kinds of defeat the purpose...
    > See https://66.166.204.121:8443/managementtool/ for the exact message.


    Your server is definitely using a self-signed certificate:

    openssl s_client -connect 66.166.204.121:8443 -showcerts
    ....
    ---
    Certificate chain
    0 s:/C=US/ST=CA/L=Cupertino/O=Mobixell.com/OU=Mobixell/CN=Ran Shenhar
    i:/C=US/ST=CA/L=Cupertino/O=Mobixell.com/OU=Mobixell/CN=Ran Shenhar
    ....

    Probably you need to specify the alias of the Thawte signed certificate
    and key in the keystore somewhere in Tomcat to select the right
    certificate to use.

    Ronny
    Ronny Schuetz, Jun 29, 2008
    #1
    1. Advertising

  2. Hi,

    > The cert that was imported to the keystore reports:
    > C:\Program Files\Java\jre1.6.0_05\bin>keytool -printcert -file
    > my.cert.clean
    > Certificate[1]:
    > Owner: EMAILADDRESS=, CN=Ran Shenhar,
    > GIVENNAME=Ran, SUR
    > NAME=Shenhar
    > Issuer: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting
    > (Pty) Ltd.,
    > C=ZA


    Might be, but this is not the certificate used by Tomcat, as the subject
    as well as the issuer shown by the openssl client are different from the
    values shown by keytool. Either Tomcat is using a different keystore or
    the keystore contains multiple certificates and Tomcat is using a wrong
    one as identity certificate for whatever reason.

    I'd recommend to use keytool to list the content of the keystore (-list
    command) to check, if there are any other certificates and to find out
    the alias of the Thawte signed certificate to compare this with the
    Tomcat configuration.

    Hope that helps,
    Ronny
    Ronny Schuetz, Jun 29, 2008
    #2
    1. Advertising

  3. > I'd recommend to use keytool to list the content of the keystore (-list
    > command) to check, if there are any other certificates and to find out
    > the alias of the Thawte signed certificate to compare this with the
    > Tomcat configuration.


    Short add on, just in case: Might be that Tomcat needs to be restarted
    to pick up the new configuration or new certificate.

    Ronny
    Ronny Schuetz, Jun 29, 2008
    #3
  4. > Thanks - there were indeed 2 certs, so I deleted one.

    No problem.

    > openssl s_client -connect 66.166.204.121:8443 -showcerts
    > CONNECTED(00000003)
    > depth=2 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte
    > Consulting/OU=Certification Services Division/CN=Thawte Personal
    > Freemail CA/emailAddress=
    > verify error:num=19:self signed certificate in certificate chain
    > verify return:0
    > ---
    > Certificate chain
    > 0 s:/SN=Shenhar/GN=Ran/CN=Ran
    > Shenhar/emailAddress=
    > i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte Personal Freemail
    > Issuing CA
    > <snipped>
    >
    > FF3 gives me Error code: sec_error_untrusted_issuer, IE7 won't even
    > connect.
    > Any ideas?


    Yes. The certificate is not intended to be used as server certificate
    but to encrypt/sign e-mails. So for example the server name is not in
    the CN field of the certificate subject.

    The certificate might be usable for code signing (which was as far as I
    know your original intention), but not as server certificate.

    So in case you need SSL connectivity, you need to obtain a server
    certificate from for example Verisign or GoDaddy or so. In case you
    don't need SSL, you can make your JavaWS application accessible via HTTP
    and still use the Thawte certificate to sign the application code.

    One additional note: Your Thawte certificate does not contain a key
    usage or extended key usage extension which is usually used to specify
    the purpose of the certificate, i.e. if you're allowed to use it for
    client or server authentication (for SSL) or if you're allowed to use it
    for code signing (for example for JavaWS). I don't know, if JavaWS
    accepts it for code signing, you have to test that. There might be even
    differences between Java 5 and Java 6, as for example Java 6 is
    explicitly checking the code signing flag in the extended key usage
    extension now as far as I know. As this extension is not present at all
    it might work - or not.

    Ronny
    Ronny Schuetz, Jun 30, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patrick
    Replies:
    1
    Views:
    1,650
    Steven Cheng[MSFT]
    Sep 15, 2004
  2. J. M.

    Generate X.509 Certificates

    J. M., Aug 1, 2003, in forum: Java
    Replies:
    4
    Views:
    4,854
    Roedy Green
    Aug 10, 2003
  3. Replies:
    0
    Views:
    534
  4. RamRod

    XMLSPY X.509 Certficate

    RamRod, Sep 28, 2004, in forum: XML
    Replies:
    0
    Views:
    402
    RamRod
    Sep 28, 2004
  5. David Chan via .NET 247
    Replies:
    1
    Views:
    328
    Dominick Baier [DevelopMentor]
    Jun 2, 2005
Loading...

Share This Page