tomcatsslcertificateverisign

verisign certificate on tomcat is not trusted by remote server


I am using a webservice from a remote server over SSL.

The remote server has a Tomcat FE. We had Verisign sign the remote server certificate and the certificate chain is:

o:remote.server.com
i:VeriSign Class 3 Secure Server CA - G3
i:VeriSign Class 3 Public Primary Certification Authority - G5

We added this certificate to Tomcat's keystore and also added Verisign's intermediate certificate which in which:

o:VeriSign Class 3 Public Primary Certification Authority - G5
i:Class 3 Public Primary Certification Authority

When I invoke the webservice from my server I get an SSL handshake exception:

No trusted certificate found

On my server's JVM cacerts I have "Class 3 Public Primary Certification Authority" but don't have the "VeriSign Class 3 Public Primary Certification Authority - G5 certificate."

If I add the "VeriSign Class 3 Public Primary Certification Authority - G5" certificate to the jvm then I stop getting the exception. However it is my understanding that Tomcat should chain the certificates so that when my server gets the remote certificate it will see "Class 3 Public Primary Certification Authority" as the root authority.

Why isn't this happening here?


Solution

  • i've finally solved this problem.
    it seems that our server keystore had several redundant certificates installed. once we removed the redundant certificates and were left with just the server certificate and the ca-chain certificate, the client received the full chain and the stopped getting the SSL handshake exception.

    there is a tool from Verisign which helped me troubleshoot this issue
    https://ssl-tools.verisign.com/#certChecker