Ask a Question

Solution ID : SO17379

Certificate installed on Tomcat not trusted by Safari


Safari requires that Tomcat not send the root, as it wants to use its own root from the browser


Unknown Safari bug


Import the certificate with its intermediates, but leave out the -trustcacerts switch when importing.


keytool -import -alias tomcat -file cert.p7b -keystore [keystorename]

Keytool will then prompt with "... is not trusted. Install reply anyway? [no]:"

Type "y" and hit enter and keytool should then say:

Certificate reply was installed in keystore

That means only the certificate and its  intermediate will be in the chain, and all browsers will use the root they already have, to build the chain and trust the certificate.