Certificate Authority chain issue
843811Jul 27 2010 — edited Aug 9 2010Hello,
I have a problem with using root and sub Certificates in our PKI environment. Specifically, I have a problem with the way the Java implementation of certificates is working in our environment.
We use Entrust as our external Certificatation Authority. We are a predominantly Microsoft environment and have implemented PKI for user accounts and Smartcard logons across our domain. Our certificates are generated under Entrusts certificatation authority and we have added their DCOMROOTCA and DCOMSUBCA (Root and Subordinate) certificates to our trusted root certification Authorities store for all MS clients. Entrust have recently reissued their DCOMROOTCA and DCOMSUBCA certificates and we have included those new certificates in our trusted root certification Authorities store. The old Entrust certificates are still valid and dont expire for another 2 years. Our PKI environment and authentication continues to work as normal in an MS environment.
In a Windows environment which is using Microsofts implementation of certificates, a smart card which was issued under Entrusts old root certificate will successfully authenticate with a certificate issued under Entrustss new root certificate.
I am having a problem with VMWare View. VMWare View is a Web interface broker server which uses Javas implementation of certificate security, ie uses keytool.exe and cacerts as its trusted certificate store. I have secured the web interface with a certificate issued under Entrusts new root certificate. I am trying to authenticate with a smart card which has been issued with a certificate under Entrusts old root certificate. This has not been successful. I have imported the old DCOMROOT and DCOMSUB certificates and the new DCOMROOT and DCOMSUB certificates into the cacerts file. The client (a Wyse Terminal) also has the old and new DCOMROOT and DCOMSUB certificates in its trusted store. When I attempt to logon I get the following event in the logs on the Web interface broker server:
16:54:18,789 DEBUG <pool-1-thread-17> PooledProcessor SSL handshake exception from /10.42.2.138:2867, error was: sun.security.validator.ValidatorException: Certificate signature validation failed
If I reissue the Smartcard with a new certificate which has been generated under Entrust's new root and sub certificates I am able to successfully authenticate.
The conclusion I can draw from this is that Java certification (at least in the way I have set it up) breaks if a new issuing certificate is being used to generate a certificate to secure the Web interface and an old issuing certificate is being used on a smart card / client.
Does this sound correct? Is this a known issue or have I not imported or setup up the certificate chains correctly?
Any advice would be most welcome.
Many thanks,
Ben