java.security.cert.CertificateException: Can't Verify Cert Error With New CA Certificate With Longer Validity (Doc ID 1945265.1)

Last updated on JANUARY 13, 2017

Applies to:

Oracle API Gateway - Version 11.1.1.6.1 and later
Information in this document applies to any platform.

Symptoms

Some systems use certificates which are signed by a CA which is a subordinate CA of a Group Root CA II, org Group (http://rootca.com/en/rootca2_subcas.htm).
OEG has been configured with ROOT CA org Group Root CA II + org-cai (old expiring in 2016), which means that the certificates can be created with 2 years validity in this time.
A new CA certificate from org Group Root CA II to org-cai (new) was obtained; all works fine.

Because some client SSL certificates have to be provided for some business partners for mutual authentication,  the configuration of OEG must be extended by this new certificate CA org-cai.
Therefore, the new CA certificate org-cai has been added to cacerts and to OEG configuration.

This causes the SSL authentication to stop working.


The following is output seen in the trace:

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms