complete certificate path validation

David Pomeroy dfpomeroy at
Mon Jul 11 16:13:09 PDT 2011

Hello All,

I'm trying to figure out if a certain security configuration is supported in
openJDK or not.

I want to do client authentication at the server with one trusted root
self-signed anchor certificate.  Then I want the client to send up only a
client certificate, that was issued by a subordinate CA.  I want to use the
"PKIX" TrustManagerFactory to accomplish this.

The client authentication succeeds when the subordinate CA certificate is
added to the truststore used to initialize the PKIXBuilderParameters that is
fed into the TrustManagerFactory.  However, the subordinate CA is not a root
(self-signed) certificate and the PKIXCertPathValidator doesn't seem to care
about that.  This doesn't meet my requirements, since the client cert path
is not built all the way up to a root certificate.

If I do not include the subordinate CA certificate in the truststore, the
client cannot connect and it doesn't seem like the validator is invoked at
all.  I know I would have to include the sub CA certificate somehow but I'm
not sure how to do this.

Is this configuration even supported?  I have tried openJDK 6 and 7, same
results with each.

I imagine if the client sent up the sub CA certificate as well as the client
certificate, the chain would be validated from the root all the way down.
However, this is not the desired configuration.

Any help here would be appreciated.

Dave P
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the security-dev mailing list