see section 3.7 of servlet 2.6
"If there is an SSL certificate associated with the request, it must be exposed by the
servlet container to the servlet programmer as an array of objects of type
java.security.cert.X509Certificate and accessible via a ServletRequest
attribute of javax.servlet.request.X509Certificate.
The order of this array is defined as being in ascending order of trust. The first
certificate in the chain is the one set by the client, the next is the one used to
authenticate the first, and so on."
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=301388