[jboss-user] Presenting certificate chain with subsidiary CA certificate

Brian Candler brian.candler at ingg.com
Mon Jan 25 17:19:26 EST 2010 

I have a problem getting Jboss to present a chain of certificates to a
client.

The situation is this: the server has a certificate signed by an
intermediate (subsidiary) CA, and the subsidiary CA has a certificate signed
by a root CA.

I have installed all three certificates into the keystore using keytool
(keytool -list shows them):

  - the server certificate
  - the intermediate certificate
  - the root certificate

each with a different alias. However, when an TLS client connects, only the
server certificate is presented to the client. This can be demonstrated
using

    openssl s_client -connect x.x.x.x:443

Since the client has only the root certificate, it cannot verify the server
certificate.

Now, the server should be presenting the intermediate certificate as well. I
can make this work in Tomcat behind Apache (you can either concatenate
multiple PEM files together, or use the SSLCertificateChainFile directive),
but I can't see what to do with Jboss.

This is Jboss 4.3.2ga, and here's the relevant bit of server.xml:

  <!-- Define a SSL HTTP/1.1 Connector on port 443 -->
  <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" strategy="ms" secure="true"
                   SSLEngine="on"
                   clientAuth="false" sslProtocol="TLS"
    SSLCertificateFile="${jboss.server.home.dir}/conf/server-cert.pem"
    SSLCertificateKeyFile="${jboss.server.home.dir}/conf/server-key.pem"
    SSLCACertificateFile="${jboss.server.home.dir}/conf/ca-chain.pem"
    keystoreFile="${jboss.server.home.dir}/conf/server.keystore" keystorePass="XXXXXXXX"
    truststoreFile="${jboss.server.home.dir}/conf/server.truststore" truststorePass="YYYYYYYY"
  />

I'm not actually sure if the SSLCertificateFile/KeyFile/CACertificateFile do
anything, but they're in a configuration I inherited. Certainly the
keystoreFile directive is active, because if I give the wrong keystorePass
then I'm told that the keystore file is not readable.

I also tried putting the certificates into server.truststore, but this
doesn't seem to make a difference.

Any help much appreciated.

Thanks,

Brian Candler.

More information about the jboss-user mailing list