openjdk team mailing list archive

[Anders Kaseorg <anders@xxxxxxxxxxx>]

For frustrated users of local CAs, you can work around this problem by
manually importing your CA into Java’s keystore, with a command similar
to this:

sudo keytool -import -keystore /etc/java-6-openjdk/security/cacerts
-storepass changeit -alias mitCA -file /usr/share/ca-
certificates/mit.edu/mitCA.crt

-- 
openjdk doesn’t trust SSL certificates configured with update-ca-certificates
https://bugs.launchpad.net/bugs/240314
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in ubuntu.

Status in Source Package "openjdk-6" in Ubuntu: New

Bug description:
Debian and Ubuntu provide a standard mechanism for adding a trusted SSL certificate authority to the system, by configuring it in /etc/ca-certificates.conf and running update-ca-certificates.  That command symlinks trusted CAs into /etc/ssl/certs and adds them to /etc/ssl/certs/ca-certificates.crt.

I’m pretty sure this used to work with openjdk, but it no longer does.  Even though my local CA is correctly configured and other applications can use it, Java applets on SSL pages fail to load with exceptions like this:

  I/O exception while reading: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Perhaps this is related to LP #224455 (which looks bogus to me because /etc/ssl is world-readable by default).

openjdk should either read trusted CAs from the standard location, or it should hook update-ca-certificates to add trusted CAs to whatever private keystore it actually uses (by dropping a hook script into /etc/ca-certificates/update.d).  Users of local CAs should not have to configure them in a dozen different locations.