[jboss-user] trust chain difficulties

Christoph Lechner cl0092 at l-mx.de
Wed Aug 24 08:43:54 EDT 2011

Dear all,

I'm experiencing difficulties getting JBoss to present the trust chain 
to the client.

The server certificate is signed by an intermediate CA and the 
intermediate CA has a certificate signed by the root CA.
I imported these certificates into the keystore using keytool. A keytool 
-list shows these. However, after reviewing a number of tutorials and 
HOWTOs on the net, it still remains unclear what alias one has to 
specify. The certificate of the website has the alias tomcat that is 
also used in the JBoss configuration.
The tutorials suggest numerous alias -- but not the same as the alias of 
the site cert -- values for the certificates.

When I run openssl against the JBoss installation
openssl s_client -connect www.xyz123abc.com:8443
I get the result:
Certificate chain
 0 s:....

So the certificate chain contains only one certificate, the certificate 
of the site.

Inspecting the keystore again -- this time using keytool -list -v -- 
reveals something strange:

Alias name: tomcat
Creation date: Jul 1, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1

Shouldn't the certificate chain length be greater than 1???

So I'm wondering if one has to store the certificates of the trust chain 
under the same alias. And if yes, how can I achieve this.

Thanks in advance

More information about the jboss-user mailing list