2

When I create an SSLServerSocket in Java 7 the server correctly uses my server certificate and key. The certificate was issued by a sub-ca of a ca. Therefore the complete chain from the root cert to the server cert has four certificates. The complete chain is present in the keystore/truststore.

However when a client connects the server always sends only the server certificate itself. This also applies to Java based web servers like Jetty.

Because most clients have only the root ca certificate installed and not the two sub-ca certificates this is a big problem.

How can I force Java to send the full certificate chain in the SSL/TLS handshake?

Improve this question
6
  • Have you configured this entry in your keystore with the entire chain itself (as described in this question)?
    – Bruno
    Commented Oct 8, 2012 at 8:48
  • The complete chain is present in the keystore - I updated that detail in my question.
    – Robert
    Commented Oct 8, 2012 at 9:08
  • Just to clarify, I don't just mean having the full chain in the keystore, I mean having the full keychain in the right entry in the keystore (the one that also has the private key).
    – Bruno
    Commented Oct 8, 2012 at 9:12
  • Sorry but I don't understand you question. What do you mean with "keychain"? There is only one key needed - the one for the ssl certificate.
    – Robert
    Commented Oct 8, 2012 at 9:25
  • Sorry, typo, I just meant "chain". You need the full chain imported in the same entry in the keystore, having the certificates that form the chain in different entries isn't enough. (Have you followed the procedure described here?)
    – Bruno
    Commented Oct 8, 2012 at 9:26

1 Answer 1

Reset to default
5

A key entry in a keystore isn't just for a single certificate, but for a certificate chain (see KeyStore.setKeyEntry, which takes a Certificate[] chain parameter).

If you want a specific chain to be used, it needs to be set up as a chain in the entry where you have the certificate and its private key. Whether the intermediate certificates are also in the same keystore, in different entries doesn't really matter.

This is a very similar problem to getting a client to send the full client-certificate chain. The same keystore configuration steps should also work from a server point of view, as described in this question.

Improve this answer
0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.