Certificate chain not transported to server

Question

I use this method to register the client certificate into the server certificate.

/**
 * Links the user's certificate into the server's keystore/truststore.
 * 
 * @param server
 *            The server party.
 * @return <code>true</code> if the certificate has been bound,
 *         <code>false</code> if the certificate already was bound to the
 *         truststore.
 * @throws KeyStoreException
 */
public boolean linkToServerCertificate(Party server) throws KeyStoreException {
    if (keyAlias.equals(server.keyAlias)) {
        throw new IllegalArgumentException("The alias of client and server must be different!");
    }
    keystore.setCertificateEntry(server.keyAlias, server.getAliasCert());
    Certificate certificate = keystore.getCertificate(keyAlias);
    server.keystore.setCertificateEntry(keyAlias, certificate);
    return true;
}

After the restart of the AS i get this message:

Having environment variable JAVA_OPTS="-Djavax.net.debug=ssl" i get this informatinos:

*** ServerHelloDone
https-jsse-nio-8443-exec-7, WRITE: TLSv1.2 Handshake, length = 1522
https-jsse-nio-8443-exec-8, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
https-jsse-nio-8443-exec-8, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated:  [Session-4, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-8, SEND TLSv1.2 ALERT:  fatal, description = bad_certificate

So the certificate-chain of the certificate is empty

But inspecting the certificate on client, its pointing out that there is a certificate chain.

I am confused, why is the certificate chain not transported to the server?

Answer 1

You can copy the full certificate chain like the following.

Key key = keystore.getKey(keyAlias, clientKeyStorePassPhrase);
Certificate[] chain = keystore.getCertificateChain(keyAlias);
server.keystore.setKeyEntry(keyAlias, key, serverKeyStorePassPhrase, chain);

Refer - http://www.java2s.com/Code/Java/Security/Importakeycertificatepairfromapkcs12fileintoaregularJKSformatkeystore.htm for more details on how you can copy certificates from one keystore to another keystore.

Update -

Java api docs also suggest that keystore.getCertificate(keyAlias); returns only the first element of the certificate chain. Ref - https://docs.oracle.com/javase/8/docs/api/index.html?java/security/KeyStore.html

Ref - for more examples of loading certificate chain - https://www.pixelstech.net/article/1420427307-Different-types-of-keystore-in-Java----PKCS12