How to Import Certificate Chains Containing G5 (SHA1) Root Certificates with Java SE 8

(Doc ID 2311013.1)

Last updated on OCTOBER 22, 2017

Applies to:

Java SE JDK and JRE - Version 8 and later
Information in this document applies to any platform.

Goal

After updating to Java SE 8 Update 144, the SSL/TLS handshake is failing for the x.509 certificate chains that include a VeriSign "G5" root certificate which is signed with SHA1withRSA.  This occurs even though the intermediate and user certificates are both signed with SHA256withRSA.  This is seen in the error shown below:


Assuming the problem is due to the disabling of SHA-1 certificates that are validated by the PKIX implementation of the CertPathValidator and CertPathBuilder APIs and the SunX509 and PKIX implementations of the TrustManagerFactory API, per JEP 288: Disable SHA-1 Certificates, can the existing x509 chain of certificates be re-imported in a way that will allow the SHA-1 certificate to be accepted and not require manual changes to the deployment.properties file for all desktops?


Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms