Home/ Questions/Q 6938607
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T12:30:52+00:00

According to https://wiki.jasig.org/display/CASUM/X.509+Certificates , After the Server sends the certificate that identifies itself, it

  • 0

According to https://wiki.jasig.org/display/CASUM/X.509+Certificates,

After the Server sends the certificate that identifies itself, it then can then send a list of names of Certificate Authorities from which it is willing to accept certificates.

I am wondering how to determine what this list is, and how to modify it.

The reason I am asking is that I am getting an infinite redirect between my server and my client after successful validation (i.e., the ticket stage), and I think it has to do with the CAS server not recognizing the CAS client’s certificate (the client’s certificate is self-signed).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you want to see what this list is, you can use OpenSSL:

    echo "" | openssl s_client -connect your.server:port

    This will show various messages regarding the handshake, including the certificates and the list of CAs in the CertificateRequest message.

    Ultimately, it’s determined by the active X509TrustManager‘s getAcceptedIssuers() method. By default, this will be the list of Subject DNs of all your trust anchors (that is, the Subject DNs of all the certificates in your trust store).

    Your client certificate will have to be verified by the server. This is normally done during the handshake by the trust manager, which (unless tweaked) will build a chain to a known CA (or at least known cert if it’s the user cert itself) in the trust store.

    Adding your self-signed certificate to your trust store should be sufficient. It doesn’t have to be the cacerts file bundled with the JVM, you could make a copy of it and use the trust store settings of Apache Tomcat’s connector to set it up.

    • 0