My Oracle Support Banner

[Java SE] How to Import Certificate Chains Containing G5 (SHA1) Root Certificates with Java SE 8 (Doc ID 2311013.1)

Last updated on NOVEMBER 08, 2023

Applies to:

Java SE JDK and JRE - Version 8 and later
Information in this document applies to any platform.


After updating to Java SE 8 Update 144, the SSL/TLS handshake is failing for the x.509 certificate chains that include a VeriSign "G5" root certificate which is signed with SHA1withRSA.  This occurs even though the intermediate and user certificates are both signed with SHA256withRSA.  This is seen in the error shown below:

Assuming the problem is due to the disabling of SHA-1 certificates that are validated by the PKIX implementation of the CertPathValidator and CertPathBuilder APIs and the SunX509 and PKIX implementations of the TrustManagerFactory API, per JEP 288: Disable SHA-1 Certificates, can the existing x509 chain of certificates be re-imported in a way that will allow the SHA-1 certificate to be accepted and not require manual changes to the file for all desktops?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.