certificate chain is not coming with server certificate

0
votes

The keystore contains CA,Certificate,and the private Key

bash:$ keytool -list -keystore my.keystore 
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 6 entries

xyz-server-ca, Nov 12, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): F1:94:1E:B3:C1:E7:7E:54:DA:6B:12:35:26:AA:4C:DE:46:D6:45:3F
xyz-key, Nov 12, 2015, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 81:45:05:29:15:26:0C:0E:71:EB:E0:1F:3E:1C:D8:FE:C6:8D:78:69
xyz-root-ca, Nov 12, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 67:D6:A8:37:AD:16:15:31:6D:55:78:02:F2:FA:AB:7A:2A:75:F0:DF
server, Nov 12, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 
xyz-root-ca1, Nov 12, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 67:D6:A8:37:AD:36:15:31:6D:55:78:02:F2:FA:AB:7A:2A:75:F0:DF
server, Nov 12, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1):

When i do to view the certificate chain using openssl, it doesn't return me all the chain, instead of it's just return the server Certificate and one CA file

openssl s_client -host 127.0.0.1 -port 443 -prexit -showcerts

---
Certificate chain
 0 s:/C=EU/ST=I/L=Du/O=Inc./OU=Foot/CN=example.com
   i:/C= EU/O=I/OU=Du/CN=Servers CA
1
javaopensslx509certificatekeystorejks
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. Also see Where do I post questions about Dev Ops?.jww

1 Answers

0
votes

It is expected behavior. When making an SSL handshake, server responds with its own SSL certificate and all CA certificates in the chain *except root certificate*. A reference from RFC 5246 §7.4.2:

certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.

In other words, it is a good practice to NOT send root (which is presented in a self-signed form) certificate during SSL negotiation.