Certificate Chain Issue In EAP
Issue
- The user requires the configured trust keystore to be updated automatically when a new set of Intermediate CA certificates (which are not there in the current trust keystore configured) are used.
-
Also, The trust may be any trust keystore created by the user or cacerts given by the underlying JDK.
-
For Example:
- when making an SSL connection to a site with a certificate like domain.com as below:
Owner: CN=domain.com, O=A, OU=EDB, L=BC, ST=xyz, C=XX
Issuer: CN=GlobalSign Organization Validation CA - G2, O=GlobalSign nv-sa, C=BE
Serial number: XXXXXXXXXX
Valid from: XXX until: Sat Feb XXX
Certificate fingerprints:
MD5: XXX
SHA1: XXX
SHA256:XXX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 1.1.1.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://secure.globalsign.com/cacert/gsorganizationvalg2.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp2.globalsign.com/gsorganizationvalg2
]
- JBoss EAP would validate the certificate by reading the
"Authority Information Access"field and downloading the required CA from http://secure.globalsign.com/cacert/gsorganizationvalg2.crt and validate the downloaded CA against the top CA"GlobalSign Root CA"which is present in the trusted keystore.
Environment
- JBoss Enterprise Application Platform (EAP)
- 4.x
- 5.x
- 6.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
