Hello, everybody, I know that it isn't the very right place for this question, but Tomcat forum is silent - hope someone will help me here.


We're using Thawte-signed certificate for our web site. This year (March)
they have used a new intermediate certificate to sign our request. Also,
they asked us to add that intermediate certificate to the Apache's
SSLCertificateChainFile directive. And all is working great in Apache.

But a bit earlier, in the February, we've migrated to the Tomcat 5.0.28,
Apache is going to be deinstalled after a while.

The problem is --- I cannot configure Tomcat so, that he would work just like
Apache, at the moment all browsers show me "Unknown certificate" warning.

I've tried various combinations of verisign, thawte and our certificates
beeing in both keystores used here. I've tried changing aliases -- it doesn't
helps. And I cannot find a good article/document on how to config Tomcat for
using intermediate certificates.

The certificate chain is: verisign -> thawte -> mpi (our host).
Neither verisign's CA, nor thawt's intermediate certificates are found in
browsers' list of know CAs.

Here's a part of my server.xml:




If you have any idea, mail me or answer here.
I can post keystores, logs etc if you want to see them.