complete certificate path validation

David Pomeroy dfpomeroy at
Mon Jul 11 18:59:01 PDT 2011

Hi Xuelei,

The requirement is to keep the client certificate as small as possible.  I'd
rather not have to store the sub CA certificate on the client.

I see that the server is sending a "certificate request" as part of the TLS
handshake protocol.  The DNs of the trusted certificates are specified in
the request.

It looks like the Sun JSSE provider does not support this configuration.
Can you confirm?

Thanks, Dave

On Mon, Jul 11, 2011 at 6:21 PM, Xuelei Fan < at> wrote:

> Hi Dave,
> What's the underlying requirements that the client cannot send a full
> certification path? That's not the way TLS works.
> You may be also interesting in the post, "Best Practice: to Include the
> Complete Certificate Chain in the KeyStore",
> Regards,
> Xuelei
> On 7/12/2011 7:13 AM, David Pomeroy wrote:
> > Hello All,
> >
> > I'm trying to figure out if a certain security configuration is
> > supported in openJDK or not.
> >
> > I want to do client authentication at the server with one trusted root
> > self-signed anchor certificate.  Then I want the client to send up only
> > a client certificate, that was issued by a subordinate CA.  I want to
> > use the "PKIX" TrustManagerFactory to accomplish this.
> >
> > The client authentication succeeds when the subordinate CA certificate
> > is added to the truststore used to initialize the PKIXBuilderParameters
> > that is fed into the TrustManagerFactory.  However, the subordinate CA
> > is not a root (self-signed) certificate and the PKIXCertPathValidator
> > doesn't seem to care about that.  This doesn't meet my requirements,
> > since the client cert path is not built all the way up to a root
> > certificate.
> >
> > If I do not include the subordinate CA certificate in the truststore,
> > the client cannot connect and it doesn't seem like the validator is
> > invoked at all.  I know I would have to include the sub CA certificate
> > somehow but I'm not sure how to do this.
> >
> > Is this configuration even supported?  I have tried openJDK 6 and 7,
> > same results with each.
> >
> > I imagine if the client sent up the sub CA certificate as well as the
> > client certificate, the chain would be validated from the root all the
> > way down. However, this is not the desired configuration.
> >
> > Any help here would be appreciated.
> >
> > Thanks!
> > Dave P
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the security-dev mailing list