tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Can APR use verisign certs ?
Date Wed, 10 Jan 2007 09:29:49 GMT
Since I can't get the cert tree, I'm guessing the same problem:  Only this 
time with the JDK's stored certs.  Configuring the <Connector ... /> to 
force sending the good intermediate cert should solve all of the problems.

In all the gory details, it seems that at the moment the app in question is 
only sending it's own cert back to the browser (instead of the entire 
chain).  However all browsers recognize Verisign's cert as a signer, so they 
don't care.  Older browsers (or JDKs :) will have the expired copy of VS's 
intermediate cert, and so can't validate the cert chain anymore, and so will 
give an error (those of us using Apache Httpd have had this problem for 
awhile now :).  The solution is to force TC to send the newer intermediate 
cert back with the handshake, so the browser/JDK only has to find the root 
VS cert.

"Caldarale, Charles R" <> wrote in message
> From: news [] On Behalf Of Bill Barker
> Subject: Re: Can APR use verisign certs ?
> Now, with IE 7 (I was using 6 before), the page comes up fine.

What happens if you click on the JBoss Web Console link (bottom left)?
When I try it with IE7 (and IE6, for that matter), I get a Java message
box stating "The web site's certificate cannot be verified."  Clicking
the More Information link shows "The certificate was issued by a source
that is not trusted."  Clicking on No prevents the applet that normally
runs in the left pane from being downloaded.  (This is with both JDK
1.6.0-b105 and 1.5.0_10-b03, by the way.)

I think there are multiple certificate verification mechanisms at play
here, which may be contributing to the confusion.  Windows/IE has one,
Firefox appears to have its own, and Java yet another.  It seems that
only the Windows/IE mechanism recognizes the
certificate as being issued by a known, trusted provider.  I don't know
enough about what actually gets checked to try to figure out why the
alphatheory certificate issuer isn't known to Firefox or Java.

 - Chuck

MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message