Reputation: 9420
Why does java choke on cert made at cacert.org: "keyCertSign bit is not set"?
I created an SSL server cert at CAcert. When I try to fetch a page from this server from a Java program (below), I get
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
Anyone know what might be causing this?
- I've tried creating certs signed by both their class 1 and class 3 root certs, same result.
- The error does not occur when I try to fetch pages from two other sites that use CAcert.org certs: https://www.cacert.org and https://pause.perl.org (leading me to believe that the root & class 3 certs from cacert.org are properly installed on my system).
- I can see the cacert.org certs in
keytool -keystore /etc/ssl/certs/java/cacerts -list. - Yes, I know few web browsers are shipped with cacert.org root and class 3 certs.
- The cert is a wildcard cert for
*.an.example.com(real domain redacted).
Here's the Java code I'm using to test:
class Test {
public static void main(String args[]) throws Exception {
java.net.URL url = new java.net.URL(args[0]);
java.io.InputStream s = url.openStream();
}
}
The full stack trace doesn't appear to add any useful information.
The keytool(1) manpage does mention
Extensions can be marked critical to indicate that the extension should
be checked and enforced/used. For example, if a certificate has the
KeyUsage extension marked critical and set to "keyCertSign" then if this
certificate is presented during SSL communication, it should be rejected,
as the certificate extension indicates that the associated private key
should only be used for signing certificates and not for SSL use.
but I checked the cert, and while the "Certificate Key Usage" extension does say "Signing", it is also marked "Not Critical".
Sorry, I don't wish to reveal my domain name or cert, but I can probably spin up a server for testing if necessary.
Upvotes: 6
Views: 3104
Answers (2)
Reputation: 9420
Turned out to be a problem with the cert itself. Folks at CAcert.org fixed it. Yay!
Upvotes: 1
Reputation: 54094
It seems to me that the certificate is not to be used for SSL communication.
I.e. it is marked as a CA certificate but because the extension for certificate signining is not set Java rejects it.
Java is sometimes more strict on things like this while browsers are more lenient.
Upvotes: 0
Related Questions
- OpenJDK 10 rejects all SSL certificates
- added certificate to java keystore, still error
- Unable to import certificate to cacerts
- Permission error when importing certificate to cacerts
- What format is java's cacerts format expected to be?
- Imported certificate to Java keystore, JVM ignores the new cert
- Java refusing certificate that browser accepts
- Java SSL picks wrong cert, ignores key usage
- Validating a certificate in java throws an exception - unable to find valid certificate path to requested target
- SSL certificate verification fails in Java - but works everywhere else