1

I'm running a Java servlet application with Jetty. Now i wanted to make it more user friendly and require a certificate. After importing (see above) the browser (FF) still reclaims an unsecure self-signed certificate.

Should this work right now or is there something more to do. Thank you.

$ keytool -list -keystore key.ks -v
Enter keystore password:  **************

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mydomain
Creation date: Aug 16, 2009
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=mydomain.com, OU=Domain Validated, OU=Thawte SSL123 certificate, OU=Go to https://www.thawte.com/repository/index.html, O=mydomain.com
Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Serial number: 96a433bf5512025b067f68b95427588
Valid from: Wed Aug 12 02:00:00 CEST 2009 until: Fri Aug 13 01:59:59 CEST 2010
Certificate fingerprints:
         MD5:  24:43:CD:2D:38:1C:BF:17:97:8E:01:86:D8:74:C6:E7
         SHA1: AA:54:C0:72:36:2E:AA:03:E7:E4:1F:F8:A0:DA:60:29:EE:FC:E0:2E
Certificate[2]:
Owner: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Serial number: 1
Valid from: Thu Aug 01 02:00:00 CEST 1996 until: Fri Jan 01 00:59:59 CET 2021
Certificate fingerprints:
         MD5:  C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
         SHA1: 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C


*******************************************
*******************************************
PeterMmm
  • 895
  • 16
  • 28

1 Answers1

4

You have a single entry in your keystore with two certificates; your certificate and the root certificate that signed it. It is complaining about the root certificate, which is self-signed:

Owner: EMAILADDRESS=server-certs@thawte.com, 
      CN=Thawte Server CA, OU=Certification Services Division, 
      O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=server-certs@thawte.com, 
      CN=Thawte Server CA, OU=Certification Services Division, 
      O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

The Owner and Issuer are the same. This is to be expected; root certificates are self-signed certificates that you explicitly trust.

You need to make sure that in Firefox you are seeing both these certificates. Jetty should send both certificates to the browser and you should be able to see the hierarchy when you look at the SSL information for the page. You also need to make sure that the root certificate is in the list of certificates that Firefox trusts. I've checked mine and it is definitely in there in my browser.

David Pashley
  • 23,497
  • 2
  • 46
  • 73