Date: Fri, 11 Dec 2020 10:57:11 -0500 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: freebsd-questions@freebsd.org Subject: FreeBSD-12.1p10 OpenJDK11 Java SSL certificate issue Message-ID: <fd636e819f797c2ddb9d50791b87b10a.squirrel@webmail.harte-lyne.ca>
next in thread | raw e-mail | index | archive | help
We have a requirement to use Java SSL authentication to a host that has its certificate created by a private CA. We have added the target's private intermediate and root certificates to the local cacerts keystore in /usr/local/openjdk11/lib/security/cacerts but we still get this error: __Path does not chain with any of the trust anchors__ ---> openssl s_client -connect mx32.harte-lyne.ca:465 CONNECTED(00000003) depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton verify return:1 depth=1 CN = CA_HLL_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca verify return:1 depth=0 CN = mx32.harte-lyne.ca, OU = Networked Data Systems, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = hamilton, DC = harte-lyne, DC = ca verify return:1 . . . JAVA_VERSION="11" keytool -list -rfc -cacerts > cacerts.txt grep 'Alias name' cacerts.txt | grep hll Alias name: hartelyneissuer2016 [hll] Alias name: hartelyneroot2016 [hll] JAVA_VERSION="11" java SSLPoke mx32.harte-lyne.ca 465 sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors <--- Why? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fd636e819f797c2ddb9d50791b87b10a.squirrel>