I have Spring Boot 1.5 app which is setting up a connection with some Web Services. In all the cases, these are TLS 1.2 connections. I run my app passing this JVM params:
-Djavax.net.ssl.keyStore=${KEYSTORE} \
-Djavax.net.ssl.keyStorePassword=${KEYSTORE_PW} -> password
The javax.net.ssl.keyStore is just a jks file with a single certificate in it.
I need to answer this question: when setting up the TLS connection, how can I know if am I checking the full certificate chain? Or just the root certificate? Is it just depends on the CA I have in each of my certificates contained in my trust store?
I use RestTemplate to make the connections:
ResponseEntity<T> response = restTemplate.exchange(uri, HttpMethod.PUT, requestEntity, T.class);
My RestTemplate instance has nothing fancy, this is how I build it:
RestTemplate restTemplate = new RestTemplate();
Thanks all.
UPDATE Feb 14 2019
I wanted to clarify something. I am 100% sure my code uses TLS 1.2. If I remove my certs from my key store, then all the calls start to fail complaining with SSL Exceptions.
The certificate chain from the Service I'm calling consists on a leaf certificate and an intermediate certificate. They said they will update only the leaf certificate, and they said this:
"If client systems trust VendorX-issued certificates with the complete chain, then the new Leaf Certificate will need to be updated."
The part that confuses me is "the complete chain". What does that mean? Does it mean that you can either validate a part of the chain or the full chain?
