Since I can't get the cert tree, I'm guessing the same problem: Only this
time with the JDK's stored certs. Configuring the <Connector ... /> to
force sending the good intermediate cert should solve all of the problems.
In all the gory details, it seems that at the moment the app in question is
only sending it's own cert back to the browser (instead of the entire
chain). However all browsers recognize Verisign's cert as a signer, so they
don't care. Older browsers (or JDKs :) will have the expired copy of VS's
intermediate cert, and so can't validate the cert chain anymore, and so will
give an error (those of us using Apache Httpd have had this problem for
awhile now :). The solution is to force TC to send the newer intermediate
cert back with the handshake, so the browser/JDK only has to find the root
VS cert.
"Caldarale, Charles R" <Chuck.Caldarale@unisys.com> wrote in message
news:AEF3D568DD1D9E428048C592AA1645970551A77E@USRV-EXCH4.na.uis.unisys.com...
> From: news [mailto:news@sea.gmane.org] On Behalf Of Bill Barker
> Subject: Re: Can APR use verisign certs ?
>
> Now, with IE 7 (I was using 6 before), the page comes up fine.
What happens if you click on the JBoss Web Console link (bottom left)?
When I try it with IE7 (and IE6, for that matter), I get a Java message
box stating "The web site's certificate cannot be verified." Clicking
the More Information link shows "The certificate was issued by a source
that is not trusted." Clicking on No prevents the applet that normally
runs in the left pane from being downloaded. (This is with both JDK
1.6.0-b105 and 1.5.0_10-b03, by the way.)
I think there are multiple certificate verification mechanisms at play
here, which may be contributing to the confusion. Windows/IE has one,
Firefox appears to have its own, and Java yet another. It seems that
only the Windows/IE mechanism recognizes the dpt.alphatheory.com
certificate as being issued by a known, trusted provider. I don't know
enough about what actually gets checked to try to figure out why the
alphatheory certificate issuer isn't known to Firefox or Java.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|