complete certificate path validation

Xuelei Fan at
Mon Jul 11 18:21:13 PDT 2011

Hi Dave,

What's the underlying requirements that the client cannot send a full
certification path? That's not the way TLS works.

You may be also interesting in the post, "Best Practice: to Include the
Complete Certificate Chain in the KeyStore",


On 7/12/2011 7:13 AM, David Pomeroy wrote:
> Hello All,
> I'm trying to figure out if a certain security configuration is
> supported in openJDK or not.
> I want to do client authentication at the server with one trusted root
> self-signed anchor certificate.  Then I want the client to send up only
> a client certificate, that was issued by a subordinate CA.  I want to
> use the "PKIX" TrustManagerFactory to accomplish this.
> The client authentication succeeds when the subordinate CA certificate
> is added to the truststore used to initialize the PKIXBuilderParameters
> that is fed into the TrustManagerFactory.  However, the subordinate CA
> is not a root (self-signed) certificate and the PKIXCertPathValidator
> doesn't seem to care about that.  This doesn't meet my requirements,
> since the client cert path is not built all the way up to a root
> certificate.
> If I do not include the subordinate CA certificate in the truststore,
> the client cannot connect and it doesn't seem like the validator is
> invoked at all.  I know I would have to include the sub CA certificate
> somehow but I'm not sure how to do this.
> Is this configuration even supported?  I have tried openJDK 6 and 7,
> same results with each.
> I imagine if the client sent up the sub CA certificate as well as the
> client certificate, the chain would be validated from the root all the
> way down. However, this is not the desired configuration.
> Any help here would be appreciated.
> Thanks!
> Dave P

More information about the security-dev mailing list