Menu
I created an SSL server cert at CAcert. When I try to fetch a page from this server from a Java program (below), I get
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
Anyone know what might be causing this?
keytool -keystore /etc/ssl/certs/java/cacerts -list.*.an.example.com (real domain redacted).Here's the Java code I'm using to test:
class Test {
public static void main(String args[]) throws Exception {
java.net.URL url = new java.net.URL(args[0]);
java.io.InputStream s = url.openStream();
}
}
The full stack trace doesn't appear to add any useful information.
The keytool(1) manpage does mention
Extensions can be marked critical to indicate that the extension should
be checked and enforced/used. For example, if a certificate has the
KeyUsage extension marked critical and set to "keyCertSign" then if this
certificate is presented during SSL communication, it should be rejected,
as the certificate extension indicates that the associated private key
should only be used for signing certificates and not for SSL use.
but I checked the cert, and while the "Certificate Key Usage" extension does say "Signing", it is also marked "Not Critical".
Sorry, I don't wish to reveal my domain name or cert, but I can probably spin up a server for testing if necessary.
340
Here we are going to see how to Import Certificates to the Cacerts Keystore file in Java. For importing certificates you have to add certificates one by one into the Keystore file. The certificates may have .cer extension. Application Servers like WebSphere and WebLogic will have the keystore file with .jks extension. jks stands for Java Keystore.
In case of cacert.org, they are presenting a self-signed certificate and that's why your browser complains. There is no trust chain that leads from the certificate to a root CA that you trust. If you were using a Linux distribution that comes with their certificate pre-installed, you wouldn't see a warning.
Cacerts is a CA keystore file. To install certificates to cacerts you have the following options, trustcacerts - trustcacerts means trusted certificates. It can be read as trusted ca certs. alias - Each certificate in the cacerts keystore file is identified by alias
Application Servers like WebSphere and WebLogic will have the keystore file with .jks extension. jks stands for Java Keystore. Cacerts is a CA keystore file. To install certificates to cacerts you have the following options, trustcacerts - trustcacerts means trusted certificates. It can be read as trusted ca certs.
Turned out to be a problem with the cert itself. Folks at CAcert.org fixed it. Yay!
200
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
