Chrome errors with Tomcat

morgan — Tue, 16 Aug 2011 18:06:52 +0000

I stumbled across an interesting problem… If you run a Tomcat SSL web server and have Chrome browsers as clients, you may see errors in Chrome. These errors are not the fault of Tomcat, but they are a bug in older versions of the Java JDK which Tomcat uses for SSL. Costin Manolache’s blog post explains it fairly well. The bug in JSSE was fixed in JDK 6u12.

Dueling Thawte Premium Server CA certificates

morgan — Tue, 19 Jul 2011 17:31:17 +0000

Why are there two different Thawte Premium Server CA certificates out there?
Thawte distributes one at their root certificates web site:

Serial Number: 36 12 22 96 c5 e3 38 a5 20 a1 d2 5f 4c d7 09 54
Valid From: Wednesday, July 31, 1996
Valid to:  Friday, January 01, 2021
Certificate SHA1 Fingerprint: e0 ab 05 94 20 72 54 93 05 60 62 02 36 70 f7 cd 2e fc 66 66
Key Size: RSA(1024 Bits)

but there is a different version distributed with Redhat, Debian, Firefox, and OS X:

Serial Number: 1 (0x1)
Validity
     Not Before: Aug  1 00:00:00 1996 GMT
     Not After : Dec 31 23:59:59 2020 GMT
SHA1 Fingerprint=62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A

If I build a certificate chain for an SSL web server using the one from Thawte’s web site, OS X says the site uses an invalid certificate.

*** Update ***

There ARE 2 different Thawte Premium Server CA certificates:

MD5-signed
SHA1-signed

We’ll see if they tell me why they did that…

*** Update 2 ***

Thawte was required by the browser vendors to sign their CA certs with SHA1 instead of MD5. See here: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AD221

Sysadmin Notes

Chrome errors with Tomcat

Dueling Thawte Premium Server CA certificates