Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cacerts compatibility with java versions

Tags:

java

keytool

pkix

I am generating cacerts using JDK1.6 keytool.

Then I am using this cacerts file using JRE1.7, but I get exception like :

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
        at com.sun.identity.setup.OpenSSOConfigurator.main(OpenSSOConfigurator.java:172)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 12 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
        at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
        at java.security.cert.CertPathValidator.validate(Unknown Source)
        ... 18 more
Caused by: java.security.SignatureException: Signature does not match.
        at sun.security.x509.X509CertImpl.verify(Unknown Source)
        at sun.security.provider.certpath.BasicChecker.verifySignature(Unknown Source)
        at sun.security.provider.certpath.BasicChecker.check(Unknown Source)
        ... 22 more
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
        at sun.security.ssl.Handshaker.fatalSE(Unknown Source)2015-01-07 19:22:02 IST - ERROR: Problems - bootstrap file not created

Is this compatibility issue? Are cacerts generated using one version of java not compatible with another version of java?

like image 318
codingenious Avatar asked Jan 07 '15 14:01

codingenious


People also ask

How does Java use cacerts?

cacerts is where Java stores public certificates of root CAs. Java uses cacerts to authenticate the servers. Keystore is where Java stores the private keys of the clients so that it can share it to the server when the server requests client authentication.

What are cacerts in JDK?

The cacerts file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying jks as the keystore type. The cacerts keystore file ships with several root CA certificates. The initial password of the cacerts keystore file is changeit .

Is Java cacerts a keystore or Truststore?

Java has bundled a truststore called cacerts, and it resides in the $JAVA_HOME/jre/lib/security directory. We can see here that the truststore contains 92 trusted certificate entries and one of the entries is the verisignclass2gca entry.

What format is cacerts?

The CACERTS file format The @alias directive following a BASE64 encoded X. 509 certificate can be used to add a new CA cert with this alias.


1 Answers

As already explained in another answer

The answer to your problem is you are using SUN as your keystore provider java 6 was released prior to oracle purchasing SUN and java 7 was released after and many of the Sun packages are now deprecated.

For full details read the official documentation: Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7

like image 143
Ortomala Lokni Avatar answered Oct 11 '22 01:10

Ortomala Lokni