I don't think the CA is the problem here (at least not yet). The message when the CA is not supported is something like "untrusted server cert chain". The problem here is that the cert DNS name not match the server DNS name. This is either because they are actually different, or because the cert is for a domain instead of a host (e.g. .apache.org instead of jakarta.apache.org).
In regard to untrusted certs, importing the cert into the keystore will solve the problem.
Mike
On Wednesday, September 10, 2003, at 03:03 PM, Derek Alexander wrote:
Hi,
Using the HttpClient, I've run into some problems with Certificates.
The error I'm getting is this:
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificate chaining error: issuer
DN != subject DN
Running with ssl debug on, I think the problem is that the site uses a CA
who isn't in CACERTS.
Following the SecureSockets info on the HttpClient pages, I've put a
temporary workaround in place with a modified version of the
EasySSLProtocolSocketFactory.java class from there. For the moment I've put
a TrustManager that trusts everything.
IE has the certificates and I know I can export them. If I did that, could I
then import them into a KeyStore (other CACERTS) and use that somehow? If so
how?
If anyone has done this before, I'd appreciate the help.
Thanks, D.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
