Change in PKIX certificate chain validation Java 6->Java 7

Jason Uh jason.uh at
Thu May 29 01:55:18 UTC 2014

Hi Robert,

This was actually fixed in and is pending a 
backport to JDK 7u.


On 5/28/14 4:04 PM, Robert Gibson wrote:
> Hi,
> I was researching a StackOverflow question [1] and I came across some behaviour with the validation of certificate chains that I don't quite understand.
> I have a chain consisting of a root certificate with validity period 1999->2019; an intermediate certificate with validity period 2004->2024; and a server certificate with validity period 2006->2016. seems to be choking because the validity end date of the intermediate certificate is after the validity end date of the root certificate, even though we are currently within the validity period for all three certificates.  (By the way, doesn't actually give any clues as to the reason for the failure, I had to resort to debugging the process.)
> Is this expected behaviour? Should I file a bug?
> 'Invalid' certificate chain is available at [2]. All the browsers I tried validated it fine, it's just Java 7+ that chokes.
> Thanks,
> Robbie
> [1]
> [2]

More information about the security-dev mailing list