Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / October 2003

Tip: Looking for answers? Try searching our database.

Cert chain versus an individual cert

Thread view: 
Enable EMail AlertsStart New Thread
Brian J. Sayatovic - 16 Oct 2003 20:42 GMT
The JSSE user guide on Sun's site states that a server might send its
cert, or its cert-chain.  It doesn't say when it might do one or the
other, or the repurcussions.

I've got one SSL site (our own) that, via SSL debug mode, I can see
sends its whole cert chain.  Yet, when I hit a third party SSL site,
it only sends its own cert.  Using JSSE with a custom truststore, I
can connect to our site but not to theirs.  The debugging indicates
that since the third-party site only sends its cert, JSSE cannot
verify the third-party's cert up to someone I trust.

However, whenI view that same site in IE and view the cert, it shows a
cert path.  How does IE either (a) infer the cert-chain or (b) query
the server different to get the cert-chain?  JSSE only ever gets the
one third-party cert, while IE somehow gets the chain.

Regards,
Brian.

P.S. I've verified that the "issuer" of the third-party cert is not
itself in the IE cert store: "www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign"
Reply to this Message
VK - 17 Oct 2003 20:45 GMT
Making some heroic efforts to save $300-$400 on a normal commercial
certificate?
Understandable... :-)    No, really is! ;-)

Root or chain - it's still one "file", meaning one data unit. So your
applet gets the same as any browser does, you just need to "parse" the
received data in the way you need. Look for *.getCertificateChain()
methods in all these K../SSL libraries.

I still don't think that the trick will work using just one side (your
applet/application). Keystore has to be updated on each running machine.
Unless M. Gallant has found some new break-through.

> The JSSE user guide on Sun's site states that a server might send its
> cert, or its cert-chain.  It doesn't say when it might do one or the
[quoted text clipped - 18 lines]
> itself in the IE cert store: "www.verisign.com/CPS Incorp.by Ref.
> LIABILITY LTD.(c)97 VeriSign"
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.