I created an SSL server certificate in CAcert . When I try to extract a page from this server from a Java program (see below), I get
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
Does anyone know what could be causing this?
- I tried to create certificates signed with both root certificates of class 1 and class 3, the same result.
- An error occurred while trying to get pages from two other sites using CAcert.org certificates: https://www.cacert.org and https://pause.perl.org (making me believe that the root and class 3 certificates of cacert.org are correct installed on my system).
- I can see cacert.org certificates in
keytool -keystore /etc/ssl/certs/java/cacerts -list . - Yes, I know that several web browsers come with cacert.org roots and class 3 certificates.
- The certificate is a wildcard certificate for
*.an.example.com (real domain redacted).
Here is the Java code that I use for testing:
class Test { public static void main(String args[]) throws Exception { java.net.URL url = new java.net.URL(args[0]); java.io.InputStream s = url.openStream(); } }
full stack tracing does not add any useful information.
The keytool(1) man page mentions
Extensions can be marked critical to indicate that the extension should be checked and enforced/used. For example, if a certificate has the KeyUsage extension marked critical and set to "keyCertSign" then if this certificate is presented during SSL communication, it should be rejected, as the certificate extension indicates that the associated private key should only be used for signing certificates and not for SSL use.
but I checked the certificate, and although the extension "Using the key of the key" says "Signing", it is also marked "Not critical."
Sorry, I donโt want to disclose my domain name or certificate, but maybe I can probably start the server for testing.
source share