I hv a test scenario where a root certificate authority called Root signs a certificate signing request made by an intermediate certificate authority called Intermediate which in turn signs a certificate signing request made by a subject called Subject.
I use Tomcat as my webserver and I have configured it to use the Subject key store (which having the Root certificate the Intermediate certificate the Subject certificate chain and the Subject private key) and I start it to listen on the ports 80 (HTTP) and 443 (HTTPS).
I install the Root certificate (as a trusted certificate) in Firefox and I hit up my domain and this is what I get:
subject.usip.me uses an invalid security certificate.
The certificate is not trusted becoz no issuer chain was provided.
(Error code snippet: sec_error_unknown_issuer)
definitely Firefox could not confirm the believe of chain or something similar. Now before I go into details about my configuration and the steps that I took: I have Updated my Tomcat configuration so that it use the Intermediate key store Rather of using the Subject key store (the Intermediate key store having the Root certificate the Intermediate certificate chain and the Intermediate private key). Using this configuration everything works good.
I use the below tools:
I generate the key stores in problem with the below script pasted over here (it is quite lengthy). someone with a Java keytool can execute it (it possibly will not be too speedy operation becoz of the 4096 RSA key size).
After the script runs I can confirm that my Subject key store having the complete chain of believe (as I see it):
c:\>keytool -list -keystore c:\subject.jks -storepass changeit -rfc
It prints out the below (again quite lengthy) o/p which is pasted over here. It appears OK to me (at least after hours of struggling I can not appear to start seeing anything wrong with it).
I set up Tomcat (below this how-to) via it is server.xml like this (I update nothing aside from this single tag which is by default commented-out).
(After I start up Tomcat connect to it - while it is using the Subject or the Intermediate key store - there're no errors logged.)
While searching for solutions I got that with openssl I can confirm my service as a novice member of the tool I ran the below command against my domain (using Cygwin):
$ openssl s_client -connect subject.usip.me:443 -CAfile /cygdrive/c/root.pem -showcerts &> /cygdrive/c/openssl.log
Yet again I have pasted the lengthy o/p over here.
It tells that
confirm return code snippet: 24 (invalid CA certificate)
which is wonder as it refers (as I see) to the Root certificate. Now when I have told I reconfigured Tomcat to use the Intermediate key store previously I have also execute this similar command and then it checked out with
confirm return code snippet: 0 (ok)
. So I guest the Root certificate is OK.
The domain and sub-domain names I have mentioned thru the post and pastes are free domains registered at http://freedns.afraid.org/ and every of them points to my current address (I thought I would mention it can be it matters).
Any solution what I am doing wrong?