"javax.servlet.request.X509Certificate" request attribute does not return CA certs

Question

I have a requirement where a single web app, which has multiple web services, needs SSL configured. But only one web service should have mutual SSL and rest have to be on one-way SSL.

For this, I have used:

 <Connector SSLEnabled="true" acceptCount="100" clientAuth="want"
 disableUploadTimeout="true" enableLookups="false" maxThreads="25"
 port="8443" keystoreFile="somefolder\some-KeyStore.store" keystorePass="changeit"
 protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
 secure="true" sslProtocol="SSL" 
 truststoreFile="somefolder\some-trustStore.jks"
 truststoreType="JKS" truststorePass="Changeit"/>

And in the code I use below code in a filter to a service URL:

X509Certificate[] certificates = (X509Certificate[]) request
                    .getAttribute("javax.servlet.request.X509Certificate");         

This checks if the service that needs mutual SSL gets a certificate that is valid. So when that URL gets called, the servlet filter checks for cert.

But the problem is that this works only for self-signed certs; when I use CA signed certs, the above scriptlet returns null. (i.e., no certs)

The cert algorithms are RSA and DSA types; is there any significance of this or the type of keyStores and trustStores.

Please let me know if I am missing anything, or if I need to use any other code for CA signed certs. I really need CA certs in the requests.

Answer 1

Thanks for the Input,

But I figured it out. I did not import the cert chain in the TrustStore initially, and I just had the CA cert there. Once I configured the CA certs, keystore and trustStore properly, it fixed the issue.

It worked initially with self-signed certs because self signed certs don't have cert chains.