I stumbled across an interesting problem… If you run a Tomcat SSL web server and have Chrome browsers as clients, you may see errors in Chrome. These errors are not the fault of Tomcat, but they are a bug in older versions of the Java JDK which Tomcat uses for SSL. Costin Manolache’s blog post explains it fairly well. The bug in JSSE was fixed in JDK 6u12.
Why are there two different Thawte Premium Server CA certificates out there?
Thawte distributes one at their root certificates web site:
Serial Number: 36 12 22 96 c5 e3 38 a5 20 a1 d2 5f 4c d7 09 54 Valid From: Wednesday, July 31, 1996 Valid to: Friday, January 01, 2021 Certificate SHA1 Fingerprint: e0 ab 05 94 20 72 54 93 05 60 62 02 36 70 f7 cd 2e fc 66 66 Key Size: RSA(1024 Bits)
but there is a different version distributed with Redhat, Debian, Firefox, and OS X:
Serial Number: 1 (0x1) Validity Not Before: Aug 1 00:00:00 1996 GMT Not After : Dec 31 23:59:59 2020 GMT SHA1 Fingerprint=62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
If I build a certificate chain for an SSL web server using the one from Thawte’s web site, OS X says the site uses an invalid certificate.
*** Update ***
There ARE 2 different Thawte Premium Server CA certificates:
We’ll see if they tell me why they did that…
*** Update 2 ***
Thawte was required by the browser vendors to sign their CA certs with SHA1 instead of MD5. See here: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AD221