Is it possible to connect to a site using SSL where the client only has the root certificate, but the server has both the root and the intermediate certificates?
I am trying to connect using HttpUrlConnection with a TrustManager containing my roots, and I get the usual handshake error:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
Certificate chaining error
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:379)
I know that the general solution is to install the intermediate certificates, but I would like to avoid the constant one-offing of getting vendor X’s new intermediate certificate.
I am familiar with using a TrustManager that accepts everything, but that is not an option.
When a server has a certificate signed by a sub-ca-A which is signed by a root CA (e.g. Verisign), then the server will send all the certificates as part of the server hello so that the server’s certificate can be validated.
In your case you only have the root CA in the truststore.
As a result it is impossible to get up the validation chain of trust since you are missing the sub-ca certificate.
It is not only impossible, it would be wrong/insecure to be able to do that. So what you are doing is way out of proper path.
So you only have 2 options.
Put the server’s actual certificate in the truststore as trusted.
Put the whole chain in the truststore i.e. the intermediate CA certificates along with the root.
What are your concerns? Intermediate certificate expiration?