[jboss-user] Presenting certificate chain with subsidiary CA certificate
brian.candler at ingg.com
Mon Jan 25 17:19:26 EST 2010
I have a problem getting Jboss to present a chain of certificates to a
The situation is this: the server has a certificate signed by an
intermediate (subsidiary) CA, and the subsidiary CA has a certificate signed
by a root CA.
I have installed all three certificates into the keystore using keytool
(keytool -list shows them):
- the server certificate
- the intermediate certificate
- the root certificate
each with a different alias. However, when an TLS client connects, only the
server certificate is presented to the client. This can be demonstrated
openssl s_client -connect x.x.x.x:443
Since the client has only the root certificate, it cannot verify the server
Now, the server should be presenting the intermediate certificate as well. I
can make this work in Tomcat behind Apache (you can either concatenate
multiple PEM files together, or use the SSLCertificateChainFile directive),
but I can't see what to do with Jboss.
This is Jboss 4.3.2ga, and here's the relevant bit of server.xml:
<!-- Define a SSL HTTP/1.1 Connector on port 443 -->
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" strategy="ms" secure="true"
I'm not actually sure if the SSLCertificateFile/KeyFile/CACertificateFile do
anything, but they're in a configuration I inherited. Certainly the
keystoreFile directive is active, because if I give the wrong keystorePass
then I'm told that the keystore file is not readable.
I also tried putting the certificates into server.truststore, but this
doesn't seem to make a difference.
Any help much appreciated.
More information about the jboss-user