Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JRE is rejecting website certificate even though IE is happy with it.

 
R Zuber
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When our applet loads on our HTTPS website, the JRE is rejecting the website certificate, saying it does not recognize the Certificate Authority (which is Thawte). Internet Explorer is happy with the certificate.

With tracing turned on, I can verify the JRE is checking the certificate authorities of IE, but for some reason rejects all of them. The trace shows this:

security: Certificate has failed the verification with the Internet Explorer ROOT certificates
security: Invalid certificate from HTTPS server

We've tested several versions of JRE 7 and the latest version of JRE 8. All of them reject the certificate authority. This happens on various versions of Windows and Internet Explorer.

Please note that I'm not referring to the certificate used to sign the applet. The JRE is happy with that certificate.

What can I do to further investigate this issue?

Thanks,
Rob
 
Roger Sterling
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What are the expriration dates of all certs in your repository ? Did you store them in the right format ? Must be PEM not DER. IE uses DER format. This is not acceptable for JRE use.
 
R Zuber
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the feedback! The website certificate is valid from 2/3/2014 to 2/4/2015, which is why IE is happy with it. The JRE rejects the certificate based on the certificate authority (Thawte SSL CA). IE trusts that authority.

I will investigate the PEM vs DER format issue.
 
Roger Sterling
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
R Zuber wrote:Thanks for the feedback! The website certificate is valid from 2/3/2014 to 2/4/2015, which is why IE is happy with it. The JRE rejects the certificate based on the certificate authority (Thawte SSL CA). IE trusts that authority.

I will investigate the PEM vs DER format issue.


Here is the link to Thawte root certificates which you can install in your truststore : http://www.thawte.com/roots/
 
R Zuber
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks. If I understand you correctly, if the issue is that the JRE doesn't already contain the CA we are using, AND the JRE isn't successfully trusting the IE CAs because of certificate format, then either:

1) We have to get a different certificate with a different CA
2) Our end users would have to run an installer on their side to install the relevant CA into their JRE

Correct?
 
Roger Sterling
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The root cause for your problem is your certification path fails.

Why does it fail ? I can think of three possible reasons, there may be others. 1. You need to add Thawte Root certs to your truststore. 2. Your existing Thawte Root certs are stored incorrect format. 3. Your existing Thawte Root certs are expired.


Use iKeyman GUI to view the contents of your file. Or, keytool if you must.

Do you have Thawte Root Cert installed ? If so, whats the expiration date ?
 
R Zuber
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm adding our solution in case people refer to this thread in the future: Installing the intermediate CA certificate on the web server solved the problem. No change was made on the client side.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic