How to Configure Oracle iPlanet Web Server To Prevent It From Sending The Root CA Certificate In The Certificate Chain
(Doc ID 1416075.1)
Last updated on OCTOBER 19, 2018
Applies to:Oracle iPlanet Web Server - Version 6.1 to 7.0 [Release 6.1 to 7.0]
Information in this document applies to any platform.
***Checked for relevance on 23-Dec-2013***
This document describes how to configure the Web Server to prevent the HTTPS/SSL response from sending the root certificate during the SSL handshake.
In iPlanet Web Server 6.x and 7.x, a HTTPS listener is configured with a SSL certificate with a specified certificate nickname like "Server-Cert". This nickname typically refers to a SSL server certificate that is stored in a SSL certificate store.
This certificate store is normally loaded with the Intermediate Certificate Authority that issued the SSL server cert as well as a trusted root Certificate Authority (CA).
A "Root Certificate Authority" is a certificate where it's "Subject" attribute is the same as it's "Issuer". For example, the following is a sample root CA from Verisign where the issuer and subject can be seen to be same.
G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=Ver
iSign Trust Network,O="VeriSign, Inc.",C=US"
Subject: "CN=VeriSign Class 3 Public Primary Certification Authority
- G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=Ve
riSign Trust Network,O="VeriSign, Inc.",C=US"
When a HTTPS/SSL client browser connects to the Web Server, part of the SSL protocol contains a step where the SSL response will return to the client the following as part of the SSL handshake:
- the SSL Server certificate (The "Server-Cert")
- It's SSL Certificate chain (this may contain a few X509 Certificates)
- Root CA (if this is present in the certificate trust store)
iPlanet Web Server 6.x and 7.x will return the SSL server certificate and the chain, if it can form a certificate chain from the SSL Server certificate from its SSL certificate store.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document