Certificate Chain Issue In EAP
Issue
- The user requires the configured trust keystore to be updated automatically when a new set of Intermediate CA certificates (which are not there in the current trust keystore configured) are used.
-
Also, The trust may be any trust keystore created by the user or cacerts given by the underlying JDK.
-
For Example:
- when making an SSL connection to a site with a certificate like domain.com as below:
Owner: CN=domain.com, O=A, OU=EDB, L=BC, ST=xyz, C=XX
Issuer: CN=GlobalSign Organization Validation CA - G2, O=GlobalSign nv-sa, C=BE
Serial number: XXXXXXXXXX
Valid from: XXX until: Sat Feb XXX
Certificate fingerprints:
MD5: XXX
SHA1: XXX
SHA256:XXX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 1.1.1.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://secure.globalsign.com/cacert/gsorganizationvalg2.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp2.globalsign.com/gsorganizationvalg2
]
- JBoss EAP would validate the certificate by reading the
"Authority Information Access"
field and downloading the required CA from http://secure.globalsign.com/cacert/gsorganizationvalg2.crt and validate the downloaded CA against the top CA"GlobalSign Root CA"
which is present in the trusted keystore.
Environment
- JBoss Enterprise Application Platform (EAP)
- 4.x
- 5.x
- 6.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.