On 3/06/2010 11:06 AM, Jeffrey Baker wrote:
> Thanks for the info.
>
> I have complete control of both ends, and both the server and client
> are signed by my self-signed root cert. I think perhaps the problem
> here is that I'm trying to tackle the entire Java SSL infrastructure
> in one go; I knew nothing about it this morning. I read somewhere
> that the keystore has to include both the client cert and the root
> cert that signed it. Is that not true?
No, it's not strictly true, but it's a good idea. However, "include" is
pretty broad.
When you get a reply from your certificate authority containing the
signed certificate, it should include the full certificate chain in that
reply. If it doesn't, you should append the CA cert and any other
intermediate certs to the reply before importing it with keytool.
So, when you use keytool to list your keystore, you should only see one
entry (alias). The certificate part of that entry should preferably
include the full certificate chain up to the CA certificate, though.
Your truststore should contain only trustedCertificate aliases for the
CA certs you trust to identify peers.
> I've tried it both ways:
> added root cert, then added client cert (this is the way it's
> documented in the keytool manual page, the way I interpret it), and
> only adding the client cert to the keystore. It doesn't seem to work
> either way.
Concatenate all certs in the chain into one file, and import that.
--
Craig Ringer
