Ask a Question

Solution ID : SO17379

Last Modified : 05/02/2018

Certificate installed on Tomcat not trusted by Safari

Problem

Safari requires that Tomcat not send the root, as it wants to use its own root from the browser

Cause

Unknown Safari bug

Solution

Import the certificate with its intermediates, but leave out the -trustcacerts switch when importing.

Example:

keytool -import -alias tomcat -file cert.p7b -keystore [keystorename]
 

Keytool will then prompt with "... is not trusted. Install reply anyway? [no]:"

Type "y" and hit enter and keytool should then say:

Certificate reply was installed in keystore

That means only the certificate and its  intermediate will be in the chain, and all browsers will use the root they already have, to build the chain and trust the certificate.