Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does java choke on cert made at cacert.org: "keyCertSign bit is not set"?

Tags:

java

ssl

I created an SSL server cert at CAcert. When I try to fetch a page from this server from a Java program (below), I get

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set

Anyone know what might be causing this?

  • I've tried creating certs signed by both their class 1 and class 3 root certs, same result.
  • The error does not occur when I try to fetch pages from two other sites that use CAcert.org certs: https://www.cacert.org and https://pause.perl.org (leading me to believe that the root & class 3 certs from cacert.org are properly installed on my system).
  • I can see the cacert.org certs in keytool -keystore /etc/ssl/certs/java/cacerts -list.
  • Yes, I know few web browsers are shipped with cacert.org root and class 3 certs.
  • The cert is a wildcard cert for *.an.example.com (real domain redacted).

Here's the Java code I'm using to test:

class Test {
    public static void main(String args[]) throws Exception {
        java.net.URL url = new java.net.URL(args[0]);
        java.io.InputStream s = url.openStream();
    }
}

The full stack trace doesn't appear to add any useful information.

The keytool(1) manpage does mention

Extensions can be marked critical to indicate that the extension should
be checked and enforced/used. For example, if a certificate has the
KeyUsage extension marked critical and set to "keyCertSign" then if this
certificate is presented during SSL communication, it should be rejected,
as the certificate extension indicates that the associated private key
should only be used for signing certificates and not for SSL use.

but I checked the cert, and while the "Certificate Key Usage" extension does say "Signing", it is also marked "Not Critical".

Sorry, I don't wish to reveal my domain name or cert, but I can probably spin up a server for testing if necessary.

like image 340
Adam Monsen Avatar asked Nov 18 '11 08:11

Adam Monsen

People also ask

How to import certificates to the cacerts keystore file in Java?

Here we are going to see how to Import Certificates to the Cacerts Keystore file in Java. For importing certificates you have to add certificates one by one into the Keystore file. The certificates may have .cer extension. Application Servers like WebSphere and WebLogic will have the keystore file with .jks extension. jks stands for Java Keystore.

Why does CAcert give me a certificate warning?

In case of cacert.org, they are presenting a self-signed certificate and that's why your browser complains. There is no trust chain that leads from the certificate to a root CA that you trust. If you were using a Linux distribution that comes with their certificate pre-installed, you wouldn't see a warning.

How to install certificates to cacerts?

Cacerts is a CA keystore file. To install certificates to cacerts you have the following options, trustcacerts - trustcacerts means trusted certificates. It can be read as trusted ca certs. alias - Each certificate in the cacerts keystore file is identified by alias

What is the difference between JKS file and cacerts file?

Application Servers like WebSphere and WebLogic will have the keystore file with .jks extension. jks stands for Java Keystore. Cacerts is a CA keystore file. To install certificates to cacerts you have the following options, trustcacerts - trustcacerts means trusted certificates. It can be read as trusted ca certs.

1 Answers

Turned out to be a problem with the cert itself. Folks at CAcert.org fixed it. Yay!

like image 200
Adam Monsen Avatar answered Oct 08 '22 05:10

Adam Monsen
Sign in to Comment

Related questions

Java SSLException: hostname in certificate didn't match for www.googleapis.com
Java: JAXB: Marshelling of JAXBElement<Calendar> to xs:date not correct
Convert DataInput to DataInputStream?
Trouble using java class within jruby
Unable to get all network interfaces with NetworkInterface.getNetworkInterfaces on Linux
Converting report templates RPT/RDL to JRXML/Jasper Reports?
Future<V> and Exception
What's the Ideal Way to Define Singular vs Plural Gets in a Storage API?
Does Aries managed-service-factory also manage properties?
Error building Stanford CoreNLP
When will a servlet container interrupt my thread?
Type API variable-resolver is deprecated after JSF 1.1. Use el-resolver instead
How to run a plugin only for "war" package type in Maven?
I need to implement an array hashtable that works without initializing the array to null at the start. Any clue how to do that?
How can I work around this apparent EhCache deadlock?
Installing Eclipse on Linux - Screen for GtkWindow not set
Using SwingEventMonitor to monitor other applications?
Efficiently determining the IDs of entities referenced via OneToMany relationship
Getting network info in Java on Windows and Linux platforms
ORA-02289: sequence does not exist when upgrade Hibernate 3 to hibernate 4

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!