My Oracle Support Banner

java.security.cert.CertificateException: Can't Verify Cert Error With New CA Certificate With Longer Validity (Doc ID 1945265.1)

Last updated on MARCH 26, 2019

Applies to:

Oracle API Gateway - Version 11.1.1.6.1 and later
Information in this document applies to any platform.

Symptoms

Some systems use certificates which are signed by a CA which is a subordinate CA of a Root CA  (http://<HOST>.<DOMAIN>/<ROOTCA>.htm).
OEG has been configured with ROOT CA (expiring in a year), which means that the certificates can be created with <number of> years validity.
A new CA certificate from the Root CA  (new) was obtained; all works fine.

Because some client SSL certificates have to be provided for some business partners for mutual authentication,  the configuration of OEG must be extended by this new certificate CA.
Therefore, the new CA certificate has been added to cacerts and to OEG configuration.

This causes the SSL authentication to stop working.


The following is output seen in the trace:

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.