Why a root certificate is not trusted by java clie

2019-12-16 20:36发布

问题:

I am experiencing an issue when calling web service in my java project. The web service client is running in an java ee application deployed in WebSphere 7. The SSL certificate chain is having the root certificate of Go Daddy Class 2 Certificate Authority. and I do see it in the cacerts file under the WebsPhere JVM folder, but I am keeping getting untrusted certificate error:

java.security.cert.CertPathValidatorException: The certificate issued by OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US is not trusted; internal cause is: 
java.security.cert.CertPathValidatorException: Certificate chaining error

Cant figure out why getting this error, and how I can resolve this issue. Please help me.

  1. The web service is running in Server A, The client works well when I run it on my machine, the cacerts on my machine includes that root certificate.
  2. When the client get deployed with an web application onto Server A, it doesn't work. We checked the cacerts file, it does include the go daddy root certificate.
  3. When the client and webservice get deployed onto some other envs running with VeriSign certificate chain, it works as well.

Thanks

回答1:

In my opinion, the CA root public key should be added to your trust store as you are using your server it as a webservice client and not a webservice server.

On your admin console, you should have:

Security->SSL certificate and key management->Key stores and certificates-> NodeDefaultTrustStore-> Signer certificates


回答2:

Chaining error

You haven't imported the chain correctly, or there is something wrong with it. I use GoDaddy certificates and I don't get chaining errors, so it is more likely the former.