See "Certificate Chains" in
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html#Certificates.

Sander Smith wrote:
> I'm a bit confused concerning SSL certificates, and hope someone can
> shed some light. In reading through the SSL spec concerning the SSL
> handshake, it appears to me that the certificate that authenticates my
> server must be signed by a certificate that is known to the client's
> browser. This would preclude the following scenario:
>
> (Root Certificate) => (Intermediate Cert1) => (Intermediate Cert2) =>
> www.mysite.com
>
> Where (Root Certificate) is known to the client but the intermediate
> certificates are not. My certificate <SHOULD> be considered to be okay
> since it is traceable back to a trusted certificate, but the SSL
> handshake seems to say that this is not the case.
>
> However, in looking at some real sites that have real certificates, I
> see the opposite happening. In particular I see the folowing:
>
> Verisign => (Intermediate) => www.somesite.com
>
> Where Verisign is known to my browser, but the intermediate certificate
> is not. It is of the fom:
>
> www.verisign.com/CPS Incorp.by Ref. ... (some ofther stuff)
>
> What is going on here? Is there a way for the the browser to get a copy
> of the intermediate certificate if it isn't already known to it as a
> trusted certificate?
>
> Sander Smith
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> For additional commands, e-mail: tomcat-user-help@(protected)

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)