Does a truststore also need a CA's certificate to authenticate?

Question

I am using WSO2 ESB 4.0.0 and Application Server 4.1.0 to talk with each other over SSL. Both have been configured with the same keystore. Both are on different servers. The reason for this is so that WSAS only communicates with the ESB. My certificate is not self-signed.

My question is; for WSAS to only communicate with the ESB, do I also need to import the CA's certificate into WSAS's truststore? I believe this will complete the trust chain?

If I do not import the CA's certificate, I get the following in my WSAS log:

INFO   | jvm 1    | 2011/11/16 15:56:21 | javax.net.ssl.SSLHandshakeException: null cert chain
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:480)
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1120)
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1092)
INFO   | jvm 1    | 2011/11/16 15:56:21 |   at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)

Thank you

Answer 1

You will need the certificate if your certificate issuer is an intermediate certificate authority like GoDaddy or something. The intermediate certificate establishes a cert-chain from your cert up through your untrusted intermediate CA and eventually terminating (hopefully) at a trusted root certificate authority.

Answer 2

All certificates in the certificate chain have to be available to the Java code that is validating the chain. If you have a publicly purchased Certificate, then it is very likely that the root and intermediate CAs are already in the list of trusted CA Certs that Java uses. If not, then you will need to add them to your truststore.