users@glassfish.java.net

Re: Glassfish not sending Intermediate CA Certificates

From: <glassfish_at_javadesktop.org>
Date: Sun, 15 Feb 2009 17:25:36 PST

Hi javidelgadillo,

I ran into the same problem and I believe I have found a solution (it works for me). The answer is to not only import your server cert to the keystore, but also the intermediate CA cert. I don't mean adding it as a separate entry, but rather adding the intermediate CA cert as a second cert in the cert chain associated with your private key entry.

Here's how I did it:

1) Concatenate your server cert and the intermediate CA cert (must be X.509 ASCII format):
# cat certs/DigiCertCA.crt certs/star_engsoc_org.crt > certs/DigiCertCA+star_engsoc_org.crt

2) Import them both, overwriting the previous cert associated with your private key:
# keytool -keystore keystore.jks -storepass changeit -importcert -alias https -file certs/DigiCertCA+star_engsoc_org.crt -noprompt
Certificate reply was installed in keystore

(note that "https" is the alias for my private key entry.. yours may be named something different)

3) Verify that the cert chain length is now 2:
# keytool -keystore keystore.jks -storepass changeit -list -v
[...]
Alias name: https
Creation date: Feb 15, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
[...]
Certificate[2]:
[...]

keystore.jks then contains 1 entry, which consists of 1 key pair and 2 certs. I did not need to modify cacerts.jks in any way, and it's probably best to leave it alone since changes to that file also affect a slew of unrelated things like client cert validation.

For more information: http://i-cat.blogspot.com/2009/02/glassfish-and-intermediate-ssl.html

Let me know if this solved your problem.
[Message sent by forum member 'eigma' (eigma)]

http://forums.java.net/jive/thread.jspa?messageID=332001