B
Brian J. Sayatovic
I have a third-party HTTPS website I'm trying to hit from java using
Sun's JSSE 1.0.3. Viewing the site in IE, I see the certificate path
like this:
VeriSign Class 3 Public Primary CA
|__www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
|__(the third party who I'll keep anonymous)
The error I initially got was "untrusted server cert chain". After
turning on some SSL debugging, it appears that the site is signed with
an older (but not yet expired) SSL certificate from Verisign.
So, I decided to make my own custom keystore. I exported the root
cert (VeriSign Class 3 Public Primary CA) from IE and imported it into
a custom keystore. I specified this as my trustStore using the
javax.net.ssl.trustStore system property. Again, I got the same
error: "untrusted server cert chain".
So, I then went back to my custom key store and added the middle cert
(www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign).
Using that same custom trustStore, now the code connects without
Exceptions.
So, I'm a bit confused. I can understand if the root Verisign cert
wasn't in the cacerts with JDK1.3.1_06, and that's why I added it.
But once I added just that root cert, I would've expected the site to
connect ok. After all, the site's cert was signed by somebody whose
cert was signed by somebody I trust.
Why did it only worked when I added the immediate parent of the sites
cert? Should the "chain of trust" traversed up to the parent which I
had already added?
Regards,
Brian.
Sun's JSSE 1.0.3. Viewing the site in IE, I see the certificate path
like this:
VeriSign Class 3 Public Primary CA
|__www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
|__(the third party who I'll keep anonymous)
The error I initially got was "untrusted server cert chain". After
turning on some SSL debugging, it appears that the site is signed with
an older (but not yet expired) SSL certificate from Verisign.
So, I decided to make my own custom keystore. I exported the root
cert (VeriSign Class 3 Public Primary CA) from IE and imported it into
a custom keystore. I specified this as my trustStore using the
javax.net.ssl.trustStore system property. Again, I got the same
error: "untrusted server cert chain".
So, I then went back to my custom key store and added the middle cert
(www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign).
Using that same custom trustStore, now the code connects without
Exceptions.
So, I'm a bit confused. I can understand if the root Verisign cert
wasn't in the cacerts with JDK1.3.1_06, and that's why I added it.
But once I added just that root cert, I would've expected the site to
connect ok. After all, the site's cert was signed by somebody whose
cert was signed by somebody I trust.
Why did it only worked when I added the immediate parent of the sites
cert? Should the "chain of trust" traversed up to the parent which I
had already added?
Regards,
Brian.