Hi Sean, Thank you for taking a look on my request for the Suggestion to Improve Debug Messaging on CertPath. I hadn’t received the follow-up email earlier, even though I had subscribed to the mailing list. There was an issue with the subscription, but it's now resolved and completed successfully. That’s how I came across your response. Apologies for the delay in getting back to you. To reply for your question below,
>> If the certificate contains the same public key, subject and SAN, why does >> validation fail? If two certificate shares the same subject, public key, and SANs but with different serail number the actual certificate will be ignored. During the cert path validation process code detects two certificates as duplicates and the code first match it finds is the certificate created by the application not the actual certificate used by the customer. Because here server expects matching certificate and valid trust store and it received default certificate which is created by application causing the TLS certificate validation to fail. The certpath debug trace shows that it found a "duplicate", but it doesn't state that it's going to ignore it, and doesn't provide any information on which certificates are actually involved. Suggestion/Can be Improved as below in : https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java#L583 debug.println("Certificate with repeated subject, public key, and subjectAltNames will be ignored" + cert); Or debug.println("Certificate with repeated subject, public key, and subjectAltNames detected: " + cert); While this may not be a common customer scenario, but the enhancement is simple to implement and would significantly improve the clarity of debugging in certificate-related issues. Please let me know your thoughts. Thanks, Pooja
