GeeCON Prague 2014*
The moose likes Applets and the fly likes JRE is rejecting website certificate even though IE is happy with it. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » Applets
Bookmark "JRE is rejecting website certificate even though IE is happy with it." Watch "JRE is rejecting website certificate even though IE is happy with it." New topic
Author

JRE is rejecting website certificate even though IE is happy with it.

R Zuber
Greenhorn

Joined: Jan 25, 2007
Posts: 5
When our applet loads on our HTTPS website, the JRE is rejecting the website certificate, saying it does not recognize the Certificate Authority (which is Thawte). Internet Explorer is happy with the certificate.

With tracing turned on, I can verify the JRE is checking the certificate authorities of IE, but for some reason rejects all of them. The trace shows this:

security: Certificate has failed the verification with the Internet Explorer ROOT certificates
security: Invalid certificate from HTTPS server

We've tested several versions of JRE 7 and the latest version of JRE 8. All of them reject the certificate authority. This happens on various versions of Windows and Internet Explorer.

Please note that I'm not referring to the certificate used to sign the applet. The JRE is happy with that certificate.

What can I do to further investigate this issue?

Thanks,
Rob
Roger Sterling
Ranch Hand

Joined: Apr 06, 2012
Posts: 426

What are the expriration dates of all certs in your repository ? Did you store them in the right format ? Must be PEM not DER. IE uses DER format. This is not acceptable for JRE use.
R Zuber
Greenhorn

Joined: Jan 25, 2007
Posts: 5
Thanks for the feedback! The website certificate is valid from 2/3/2014 to 2/4/2015, which is why IE is happy with it. The JRE rejects the certificate based on the certificate authority (Thawte SSL CA). IE trusts that authority.

I will investigate the PEM vs DER format issue.
Roger Sterling
Ranch Hand

Joined: Apr 06, 2012
Posts: 426

R Zuber wrote:Thanks for the feedback! The website certificate is valid from 2/3/2014 to 2/4/2015, which is why IE is happy with it. The JRE rejects the certificate based on the certificate authority (Thawte SSL CA). IE trusts that authority.

I will investigate the PEM vs DER format issue.


Here is the link to Thawte root certificates which you can install in your truststore : http://www.thawte.com/roots/
R Zuber
Greenhorn

Joined: Jan 25, 2007
Posts: 5
Thanks. If I understand you correctly, if the issue is that the JRE doesn't already contain the CA we are using, AND the JRE isn't successfully trusting the IE CAs because of certificate format, then either:

1) We have to get a different certificate with a different CA
2) Our end users would have to run an installer on their side to install the relevant CA into their JRE

Correct?
Roger Sterling
Ranch Hand

Joined: Apr 06, 2012
Posts: 426

The root cause for your problem is your certification path fails.

Why does it fail ? I can think of three possible reasons, there may be others. 1. You need to add Thawte Root certs to your truststore. 2. Your existing Thawte Root certs are stored incorrect format. 3. Your existing Thawte Root certs are expired.


Use iKeyman GUI to view the contents of your file. Or, keytool if you must.

Do you have Thawte Root Cert installed ? If so, whats the expiration date ?
R Zuber
Greenhorn

Joined: Jan 25, 2007
Posts: 5
I'm adding our solution in case people refer to this thread in the future: Installing the intermediate CA certificate on the web server solved the problem. No change was made on the client side.
 
GeeCON Prague 2014
 
subject: JRE is rejecting website certificate even though IE is happy with it.