Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How do I require JSSE server tto send the complete certificate chain?

843811Apr 11 2010 — edited Apr 11 2010
Environment:
RHEL5, Tomcat6.0.14, JRE1.6

I have a SSL protected server implemented on Tomcat 6.0.14. I have installed
CA-provided certificate chain on the server ("myhost") as follows:
Certificate1: of myhost issued by intermediate CA "CA1"
installed in keystore of the SSLConnector

Certificate2: of intermediate CA "CA1" issued by root CA Entrust Inc.
installed into ${java.home}/lib/security/cacerts

When a browser initiates an SSL connection, Tomcat responds with the
certificate of "myhost" alone

(subject: "myhost", issuer: "L1C")

and not that of the intermediate CA
(subject: "L1C", issuer: "Entrust Inc.")

This causes the browser to reject the certificate of the host as
being untrusted. I have attached the handshake trace of the server below.
The same result is seen when I initiate SSL connection from openssl client
(openssl s_client connect myhost:443 -showcerts).

Question:
What should I do to require the (Tomcat) server to send the entire certificate
chain to the client during handshake?

Alternatives I have tried:
a) I have installed the certificates of both "myhost" and that of "L1C" in the keystore
(this makes little sense to me to include the CA certificate in the server's keystore -
but I am desparate).

Result: This did not work either. Server (Tomcat) continues to issue the leaf certificate alone to
client.

b) I installed the server's certificate and the CA certificate in the truststore (this again made little
sense to me, since truststore is supposed to contain the collection of certificates trusted by this
host and by that token, its own certificate does not belong in the truststore).

Result: Again, this did not work.


At this point, I am out of ideas. I would sincerely appreciate any pointers on how to install
a full cert chain on a JSSE-based server and how to "force" the server (Tomcat/JSSE) to
dispatch the entire cert chain to the SSL initiator.

Please help!

Kobe

Handshake Trace:
//.. on server
//... beginning of SSL handshake
http-8443-1, READ: SSL v2, contentType = Handshake, translated length = 81
*** ClientHello, TLSv1
//...
%% Created: [Session-1, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie: //...
Cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
//...
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=myhost.xxx.com, OU=IT, O=XXX Inc., L=San Diego, ST=California, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus: //...
public exponent: 65537
Validity: [From: Fri Apr 09 12:04:57 EDT 2010,
To: Wed Apr 09 12:34:54 EDT 2014]
Issuer: CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
SerialNumber: [ (...)]

Certificate Extensions: 8
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 49 2F 16 9E 4D 13 C6 8B 04 CB B9 E4 03 65 78 6E I/..M........exn
0010: DB 13 61 05 ..a.
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 1E F1 AB 89 06 F8 49 0F 01 33 77 EE 14 7A EE 19 ......I..3w..z..
0010: 7C 93 28 4D ..(M
]

]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.entrust.net/level1c.crl]
]]

[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.2.840.113533.7.75.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 77 77 77 2E 65 6E 74 ..http://www.ent
0010: 72 75 73 74 2E 6E 65 74 2F 72 70 61 rust.net/rpa

]] ]
]

[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]

[6]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

[7]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[8]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.entrust.net]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 53 31 B8 5F 39 25 71 50 08 06 B1 2F 20 71 87 71 S1._9%qP.../ q.q
0010: 25 F6 93 0C 27 F1 FB 10 36 B4 87 E9 05 68 BB 0C %...'...6....h..
0020: C7 EE 8F 07 C2 AD 39 58 DD 50 7A C3 CD D6 C7 08 ......9X.Pz.....
0030: 11 09 2E 52 53 D9 C7 47 8B D8 2B 35 67 D5 8E 24 ...RS..G..+5g..$
0040: 46 F5 93 18 C1 2E F3 17 A9 42 31 68 53 14 FC EB F........B1hS...
0050: FF 64 9D 21 FD 32 54 01 64 A9 9E 6D 04 E9 87 40 .d.!.2T.d..m...@
0060: E0 92 ED 01 08 24 4F F6 C1 58 26 DF 29 9B 0B 79 .....$O..X&.)..y
0070: D2 BC 83 4E F8 82 E3 2A FF 1A DB A5 E9 31 BF E9 ...N...*.....1..
0080: C8 FD B0 DC DA 34 95 FE D3 74 0C AD 3C E9 82 77 .....4...t..<..w
0090: F5 D2 94 9A D3 50 A9 86 FB 17 F2 9B 2D 84 9B F0 .....P......-...
00A0: B6 1A 95 A0 6B 58 E2 71 85 E2 B6 B4 0A B9 58 7C ....kX.q......X.
00B0: A7 0F AF B1 BD 93 D0 27 7D 68 14 5F 79 54 A6 33 .......'.h._yT.3
00C0: 7F 3D BF BE A7 00 3B 1D AA C8 D2 81 45 15 66 1B .=....;.....E.f.
00D0: CF 9A 25 6B 81 79 6B 4C A8 09 E5 E2 2A 68 2E 4B ..%k.ykL....*h.K
00E0: FA 1E 91 40 C7 5F 54 19 37 97 2A E9 A6 93 B2 7B ...@._T.7.*.....
00F0: 8E 1E 09 D6 C9 13 96 F8 59 88 E7 64 E5 FC 1B 10 ........Y..d....

]
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 9 2010
Added on Apr 11 2010
3 comments
279 views