Share via

Tomcat SSL using Azure KeyVault client for Java not sending full chain, are we missing some configuration?

Frank Long (Design Laboratory Inc) 10 Reputation points Microsoft Vendor
2023-06-06T19:21:00.57+00:00

We have a web site that is served via Tomcat and uses the Azure Key Vault Client to read the most recent autorenewing SSL certificate from the vault. The site is serving up the leaf certificate only, and not sending the rest of the chain (per OpenSSL). Are we missing some configuration?

We are following the steps outlined in these learn.microsoft.com articles and using the example for a system assigned managed identity on a Windows Server Azure VM, under Tomcat 9:

https://learn.microsoft.com/en-us/azure/developer/java/fundamentals/java-azure-keyvault-ssl-integration-jvm

https://learn.microsoft.com/en-us/azure/developer/java/fundamentals/java-azure-keyvault-tomcat-integration?tabs=windows

We are verifying the certificates delivered using OpenSSL, e.g.

openssl s_client -connect "our.site.com:443"

In the section "Certificate chain" we see just one certificate "0".

Comparing this to other sites using the same chain where we see two certificates, the site's and the intermediary's.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,381 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.