When our applet loads on our HTTPS website, the JRE is rejecting the website certificate, saying it does not recognize the Certificate Authority (which is Thawte). Internet Explorer is happy with the certificate.
With tracing turned on, I can verify the JRE is checking the certificate authorities of IE, but for some reason rejects all of them. The trace shows this:
security: Certificate has failed the verification with the Internet Explorer ROOT certificates
security: Invalid certificate from HTTPS server
We've tested several versions of JRE 7 and the latest version of JRE 8. All of them reject the certificate authority. This happens on various versions of Windows and Internet Explorer.
Please note that I'm not referring to the certificate used to sign the applet. The JRE is happy with that certificate.
What are the expriration dates of all certs in your repository ? Did you store them in the right format ? Must be PEM not DER. IE uses DER format. This is not acceptable for JRE use.
Joined: Jan 25, 2007
Thanks for the feedback! The website certificate is valid from 2/3/2014 to 2/4/2015, which is why IE is happy with it. The JRE rejects the certificate based on the certificate authority (Thawte SSL CA). IE trusts that authority.
R Zuber wrote:Thanks for the feedback! The website certificate is valid from 2/3/2014 to 2/4/2015, which is why IE is happy with it. The JRE rejects the certificate based on the certificate authority (Thawte SSL CA). IE trusts that authority.
Thanks. If I understand you correctly, if the issue is that the JRE doesn't already contain the CA we are using, AND the JRE isn't successfully trusting the IE CAs because of certificate format, then either:
1) We have to get a different certificate with a different CA
2) Our end users would have to run an installer on their side to install the relevant CA into their JRE
The root cause for your problem is your certification path fails.
Why does it fail ? I can think of three possible reasons, there may be others. 1. You need to add Thawte Root certs to your truststore. 2. Your existing Thawte Root certs are stored incorrect format. 3. Your existing Thawte Root certs are expired.
Use iKeyman GUI to view the contents of your file. Or, keytool if you must.
Do you have Thawte Root Cert installed ? If so, whats the expiration date ?
Joined: Jan 25, 2007
I'm adding our solution in case people refer to this thread in the future: Installing the intermediate CA certificate on the web server solved the problem. No change was made on the client side.