I have a Java program that connects to an https remote webservice which exposes a TLS certificate of this structure:

Webservice certificate
    Signed with some certificate
        Signed with some corporate certificate

Now, when my Java app makes a https request to that webservice it fails due to invalid certificate. This is normal, so I added the webservice direct certificate to the Java/lib/security/cacerts file.

But this didn't work, I still had the certificate exception.

After a long debugging session and hours wasted, I tried to add all three individual certificates, and this time it worked. But why ?

Why does Java checks the full certificate path even though the direct certificate is made trusted ?

Is this behavior as per SSL/TLS RFCs ? Will this behavior occur with other tools/languages like curl ?

Thanks.

CodePudding user response：

... so I added the webservice direct certificate to the Java/lib/security/cacerts file

The webservice certificate is not a CA certificate, so it does not belong in cacerts in the first place (as the name indicates). A CA certificate is a certificate which is used to sign other certificates, a webservice certificate is a leaf certificate which cannot be used to sign other certificates.

Will this behavior occur with other tools/languages like curl ?

This is a common behavior. With OpenSSL based tools one usually needs to provide the root CA (and of course the chain to it), only with X509_V_FLAG_PARTIAL_CHAIN it will accept when parts of the chain a specified as trusted.