tomcat does not check the entire certificate chain

Question

I have a server running in tomcat6 and it needs to trust client certificates. I have configured a truststore through HttpConnector "truststoreFile" attribute.

The client certificate is signed by a intermediate certificate and intermediated is signed by a root certificate. All three are sample certs created using openssl.

I have included only client certificate and intermediate certificate in the truststore of server and client is able to communicate to server with only these two. Isn't the root certificate needed to be in server's truststore for the server to trust the client certificate.

Answer 1

If you already added that root certificate to your client application (e.g. browser) or Operating System trusted certificates, your client may trust the intermediate and client certificates presented by Tomcat.