Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within Security Search Coderanch
Advance search Google search
Register / Login
permaculture playing cards
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
advertise on coderanch thread boost meaningless drivel book review grid building better world book
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • paul wheaton
  • Ron McLeod
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:

Does client need to install intermediate certificate??

 
Jimmy Ho
Ranch Hand
Posts: 61
posted 14 years ago
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator

My team just got notified that a server is getting a new SSL certificate on short notice. The service is a straight up SSL TCP/IP socket connection, custom format for request/response. They got the certificate from GeoTrust.

They forwarded us a list of instructions from GeoTrust, and one item includes instructions to install the Intermediate Certificate, or this won't work.

Question: Who needs to install the Intermediate Certificate? Client, server, or both?

Our client program runs on a JVM that opens a socket connection (IBM JVM 1.4.2). In checking our trust store, the fingerprints seem to match at least one of the certs that we found on GeoTrust's root certificate page. We're getting an error relating to the certificate chain being wrong. (Actually, we also ran this on IBM JVM 1.6.0, which had more verbose logging, which specified that it was a chaining issue).

I wonder if it's even feasible to install an intermediate cert into our trust store. Even if it works, I wonder if that's best practice, or if I should insist that the other team check the installation of its certs and intermediate certs?

(Just to clarify, this is just unilateral authentication. That is, there is no client-side SSL certificate. Only the server, as with most applications on the Internet).


 
greg stark
Ranch Hand
Posts: 220
posted 14 years ago
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
The clients only have the topmost certificates, typically called the root certificates or CA certificates, installed on their systems. On the server side you need to store the server certificate and all intermediate certificates. Thus if the chain you get looks like GeoTrust Root -> GeoTrust Intermediate A -> GeoTrust Intermediate B -> myserver.com then on the server side you need to make sure GeoTrust Intermediate A -> GeoTrust Intermediate B -> myserver.com is installed.

That way, when the client goes to connect to myserver.com the server sends the chain GeoTrust Intermediate A -> GeoTrust Intermediate B -> myserver.com. Now inside every certificate are both an Issuer and a Subject field. The client looks at the issuer field of the start of your chain which is GeoTrust Intermediate A; it says GeoTrust Root. The client then looks in its trusted cert store for the GeoTrust Root certificate and uses it to verify the authenticity of GeoTrust Intermediate A, and then proceeds in like fashion down the whole chain all the way to the myserver.com certificate.

You should never require the client to install anything.

Nice to meet you.

 
Consider Paul's rocket mass heater.
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...