Use TLS when server only sends its certificate and issuer is referenced by Authority Info Access

Question

There is a server that is only sending it's own certificate and none of its issuers in the chain (note: it's not self-signed).

When I connect to this server in Google Chrome and I view the certificate I see the full chain in the Certification Path tab, but when I try to connect to this server with Java and I use -Djavax.net.debug=SSL I only see the server's own certificate.

I noticed that there is an extension on this certificate called "Authority Info Access" that has a field "Alternative Name" with a URL pointing to the issuer's certificate. I believe Chrome (or Windows maybe) is "aware" of this extension and Java is not "aware", is there a way to use this in Java? (Preferably without extra classes, but I realize there may be no simple way if it's not built in.)

If I only add the root certificate to Java's cacerts then I am unable to perform the TLS handshake (since the server only sends its own certificate and the root did not issue it, an intermediate did). This server is out of my control, I cannot make it send intermediate certificates. Since Chrome is able to resolve the intermediate ones (through AIA I suppose) I would suspect there may be a way to do this in Java without adding the intermediate certificate to the cacerts file, only the root, but I don't know how to make Java use this AIA extension to get the intermediate certificates.

Answer 1

You need to set the relevant System Property to enable Your Java App to download intermediate certificates of the root.

System.setProperty("com.sun.security.enableAIAcaIssuers", "true");