Certificate Chain Issue In EAP

Solution Unverified - Updated -

Issue

  • The user requires the configured trust keystore to be updated automatically when a new set of Intermediate CA certificates (which are not there in the current trust keystore configured) are used.

  • Also, The trust may be any trust keystore created by the user or cacerts given by the underlying JDK.

  • For Example:

    • when making an SSL connection to a site with a certificate like domain.com as below:
Owner: CN=domain.com, O=A, OU=EDB, L=BC, ST=xyz, C=XX
Issuer: CN=GlobalSign Organization Validation CA - G2, O=GlobalSign nv-sa, C=BE
Serial number: XXXXXXXXXX
Valid from: XXX until: Sat Feb XXX
Certificate fingerprints:
     MD5:  XXX
     SHA1: XXX
     SHA256:XXX
     Signature algorithm name: SHA1withRSA
     Version: 3

Extensions: 

#1: ObjectId: 1.1.1.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://secure.globalsign.com/cacert/gsorganizationvalg2.crt
, 
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp2.globalsign.com/gsorganizationvalg2
]
  • JBoss EAP would validate the certificate by reading the "Authority Information Access" field and downloading the required CA from http://secure.globalsign.com/cacert/gsorganizationvalg2.crt and validate the downloaded CA against the top CA "GlobalSign Root CA" which is present in the trusted keystore.

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 4.x
    • 5.x
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content