How to Import Certificate Chains Containing G5 (SHA1) Root Certificates with Java SE 8
Last updated on OCTOBER 22, 2017
Applies to:Java SE JDK and JRE - Version 8 and later
Information in this document applies to any platform.
After updating to Java SE 8 Update 144, the SSL/TLS handshake is failing for the x.509 certificate chains that include a VeriSign "G5" root certificate which is signed with SHA1withRSA. This occurs even though the intermediate and user certificates are both signed with SHA256withRSA. This is seen in the error shown below:
Assuming the problem is due to the disabling of SHA-1 certificates that are validated by the
PKIX implementation of the
CertPathBuilder APIs and the
PKIX implementations of the
TrustManagerFactory API, per JEP 288: Disable SHA-1 Certificates, can the existing x509 chain of certificates be re-imported in a way that will allow the SHA-1 certificate to be accepted and not require manual changes to the deployment.properties file for all desktops?
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms