[Java SE] How to Import Certificate Chains Containing G5 (SHA1) Root Certificates with Java SE 8
(Doc ID 2311013.1)
Last updated on NOVEMBER 08, 2023
Applies to:
Java SE JDK and JRE - Version 8 and laterInformation in this document applies to any platform.
Goal
After updating to Java SE 8 Update 144, the SSL/TLS handshake is failing for the x.509 certificate chains that include a VeriSign "G5" root certificate which is signed with SHA1withRSA. This occurs even though the intermediate and user certificates are both signed with SHA256withRSA. This is seen in the error shown below:
Assuming the problem is due to the disabling of SHA-1 certificates that are validated by the PKIX
implementation of the CertPathValidator
and CertPathBuilder
APIs and the SunX509
and PKIX
implementations of the TrustManagerFactory
API, per JEP 288: Disable SHA-1 Certificates, can the existing x509 chain of certificates be re-imported in a way that will allow the SHA-1 certificate to be accepted and not require manual changes to the deployment.properties file for all desktops?
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |
References |