2

I know that Java trust store generally have root CA certs. But what about intermediate certs?

I had problem about certs and I asked about it here: Adding certificate to Java truststore and Sslhandshake

And than they answered me that I should add intermediate cert to the truststore.

Ok I understood that answer but what is the risks of it?Is it true way to import this or any intermediate cert?

For example :-DigiCert High Assurance CA-3

Community
  • 1
  • 1
javauser35
  • 1,177
  • 2
  • 14
  • 34
  • You shouldn't need the intermediate CA if you have the root CA - this is the whole point of X.509. What have you tried to import the intermediate CA? – Boris the Spider Oct 27 '15 at 17:20
  • I have an exception about that.I explained here:http://stackoverflow.com/questions/33351978/adding-certificate-to-java-truststore-and-sslhandshake – javauser35 Oct 27 '15 at 17:22
  • The answer seems to be misinformed. If your browser can resolve it then Java should be able to too - you can use OpenSSL to carry out a handshake and examine the certificates sent by the server. Adding an intermediate CA could be a risk if it is later revoked. – Boris the Spider Oct 27 '15 at 17:24
  • Ok ı won't add intermediate cert to the truststore.But I keep getting an exception.What can I do about that? – javauser35 Oct 27 '15 at 17:27
  • 1
    'If your browser can resolve it then Java should be able to too' - that's not correct, the browser uses either the OS or Firefox key stores, Java has it's own. It would be entirely possible for the intermediate cert to be installed in one but not the other. – mikemaccana May 03 '16 at 15:04
  • Make sure you are pointing to and using the Java cacert which is supposed to be shipped together with Java runtime. You can even force that by launching your application passing `-Djavax.net.ssl.trustStore=/jre/lib/security/cacerts` (your cacert folder) and `-Djavax.net.ssl.trustStorePassword=changeit` (your password). That's because, as already mentioned, Java can trust leaf certificates by evaluating the entire chain till the root one issued by a CA authority. – amenic May 07 '20 at 08:17

0 Answers0