I created an SSL server cert at CAcert. When I try to fetch a page from this server from a Java program (below), I get

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set

Anyone know what might be causing this?

• I’ve tried creating certs signed by both their class 1 and class 3 root certs, same result.
• The error does not occur when I try to fetch pages from two other sites that use CAcert.org certs: https://www.cacert.org and https://pause.perl.org (leading me to believe that the root & class 3 certs from cacert.org are properly installed on my system).
• I can see the cacert.org certs in keytool -keystore /etc/ssl/certs/java/cacerts -list.
• Yes, I know few web browsers are shipped with cacert.org root and class 3 certs.
• The cert is a wildcard cert for *.an.example.com (real domain redacted).

Here’s the Java code I’m using to test:

class Test {
    public static void main(String args[]) throws Exception {
        java.net.URL url = new java.net.URL(args[0]);
        java.io.InputStream s = url.openStream();
    }
}

The full stack trace doesn’t appear to add any useful information.

The keytool(1) manpage does mention

Extensions can be marked critical to indicate that the extension should
be checked and enforced/used. For example, if a certificate has the
KeyUsage extension marked critical and set to "keyCertSign" then if this
certificate is presented during SSL communication, it should be rejected,
as the certificate extension indicates that the associated private key
should only be used for signing certificates and not for SSL use.

but I checked the cert, and while the “Certificate Key Usage” extension does say “Signing”, it is also marked “Not Critical”.

Sorry, I don’t wish to reveal my domain name or cert, but I can probably spin up a server for testing if necessary.