• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JRE is rejecting website certificate even though IE is happy with it.

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When our applet loads on our HTTPS website, the JRE is rejecting the website certificate, saying it does not recognize the Certificate Authority (which is Thawte). Internet Explorer is happy with the certificate.

With tracing turned on, I can verify the JRE is checking the certificate authorities of IE, but for some reason rejects all of them. The trace shows this:

security: Certificate has failed the verification with the Internet Explorer ROOT certificates
security: Invalid certificate from HTTPS server

We've tested several versions of JRE 7 and the latest version of JRE 8. All of them reject the certificate authority. This happens on various versions of Windows and Internet Explorer.

Please note that I'm not referring to the certificate used to sign the applet. The JRE is happy with that certificate.

What can I do to further investigate this issue?

Thanks,
Rob
 
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What are the expriration dates of all certs in your repository ? Did you store them in the right format ? Must be PEM not DER. IE uses DER format. This is not acceptable for JRE use.
 
R Zuber
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the feedback! The website certificate is valid from 2/3/2014 to 2/4/2015, which is why IE is happy with it. The JRE rejects the certificate based on the certificate authority (Thawte SSL CA). IE trusts that authority.

I will investigate the PEM vs DER format issue.
 
Roger Sterling
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

R Zuber wrote:Thanks for the feedback! The website certificate is valid from 2/3/2014 to 2/4/2015, which is why IE is happy with it. The JRE rejects the certificate based on the certificate authority (Thawte SSL CA). IE trusts that authority.

I will investigate the PEM vs DER format issue.



Here is the link to Thawte root certificates which you can install in your truststore : http://www.thawte.com/roots/
 
R Zuber
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks. If I understand you correctly, if the issue is that the JRE doesn't already contain the CA we are using, AND the JRE isn't successfully trusting the IE CAs because of certificate format, then either:

1) We have to get a different certificate with a different CA
2) Our end users would have to run an installer on their side to install the relevant CA into their JRE

Correct?
 
Roger Sterling
Ranch Hand
Posts: 426
Eclipse IDE Fedora Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The root cause for your problem is your certification path fails.

Why does it fail ? I can think of three possible reasons, there may be others. 1. You need to add Thawte Root certs to your truststore. 2. Your existing Thawte Root certs are stored incorrect format. 3. Your existing Thawte Root certs are expired.


Use iKeyman GUI to view the contents of your file. Or, keytool if you must.

Do you have Thawte Root Cert installed ? If so, whats the expiration date ?
 
R Zuber
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm adding our solution in case people refer to this thread in the future: Installing the intermediate CA certificate on the web server solved the problem. No change was made on the client side.
 
There are 29 Knuts in one Sickle, and 17 Sickles make up a Galleon. 42 tiny ads in a knut:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic