Search code examples
javasslwso2truststorewso2-esb

Does a truststore also need a CA's certificate to authenticate?


I am using WSO2 ESB 4.0.0 and Application Server 4.1.0 to talk with each other over SSL. Both have been configured with the same keystore. Both are on different servers. The reason for this is so that WSAS only communicates with the ESB. My certificate is not self-signed.

My question is; for WSAS to only communicate with the ESB, do I also need to import the CA's certificate into WSAS's truststore? I believe this will complete the trust chain?

If I do not import the CA's certificate, I get the following in my WSAS log:

INFO   | jvm 1    | 2011/11/16 15:56:21 | javax.net.ssl.SSLHandshakeException: null cert chain
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:480)
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1120)
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1092)
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)

Thank you


Solution

  • You will need the certificate if your certificate issuer is an intermediate certificate authority like GoDaddy or something. The intermediate certificate establishes a cert-chain from your cert up through your untrusted intermediate CA and eventually terminating (hopefully) at a trusted root certificate authority.