SSL - certs related question
Hi Friends,
I got a ssl-certs question,hope someone helps...becuase I am relative new to this.I have an app.that allows user to connect through 2 different ports(say A and B).
I have different keystores for both of them that contain SSL-cert,CA-cert and Root- cert.But,when I try to connect to port-A, I am presented only with the Ca-cert and Root-cert and no ssl-cert while Port B connection provides all three.
Now,can someone please provide any clues,as to which file in Tomcat should I look for that would help me as to why Port A is not providing the ssl-cert.
Please help
[608 byte] By [
java80a] at [2007-10-2 23:04:34]
No..thats not the problem.What I see is somewhat a different problem.
See,in the keystore that port A is using,it has 3 things as i mentioned:
ROOT cert + its Private key
CA cert + its Private key
SSL cert + its Private key
The keystore that Part B is having has:
ROOT cert
CA cert
SSL cert + its Private key
So,when I make 1st one equivalent to second i.e by using the ROOT and CA certs only without their private keys,everything's works fine.So,my question is.....if you have 3 keys does JSSE complains?
any clues anybody...
Thanks
Dunno but you should certainly not have other people's private keys in your keystore, otherwise you are able to impersonate them. Are you sure that's what you really have? you must be running your own CA for that. In any case you have your answer.
ejpa at 2007-7-14 6:18:36 >
Well I don't know the answer to your question but as there is no need to have the root-chain private keys in there, and as it is a potential security problem, and as the code works better without them than with them, I would just take them out, i.e. use version B of your keystore.
The presence of e.g. ROOT's private key may cause your client to send the ROOT cert as its identity instead of its own cert, which would be a security breach. Best to disambiguate this by only having the one private key intended for use.
ejpa at 2007-7-14 6:18:36 >
