2016-09-29 11:14 GMT+02:00 Claude Libois <[email protected]>: > Hello, > This problem might be more related to how java validate certificate but I > give a try here. > My client certificate chain is Root CA>Intermediate CA> client Cert. > I wish to only trust certificate coming from Intermediate CA and not the > Root CA. > However, I have noticed that the PKI validator(which is the default one) > called by the Merlin failed to validate : > *Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Error > during certificate path validation: Path does not chain with any of the > trust anchors* > * at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)* > * at com.sun.proxy.$Proxy34.submit(Unknown Source)* > * at > client.OffresEmploiClientSigning.doCall(OffresEmploiClientSigning.java:87)* > * at > client.OffresEmploiClientSigning.main(OffresEmploiClientSigning.java:65)* > * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)* > * at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)* > * at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)* > * at java.lang.reflect.Method.invoke(Method.java:606)* > * at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)* > *Caused by: org.apache.cxf.binding.soap.SoapFault: Error during certificate > path validation: Path does not chain with any of the trust anchors* > * at > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:86)* > * at > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:52)* > * at > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:41)* > * at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)* > * at > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)* > * at > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)* > * at > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)* > * at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)* > * at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)* > * at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645)* > * at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533)* > * at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336)* > * at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)* > * at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)* > * at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)* > * at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)* > * at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)* > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)* > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)* > * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)* > * at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)* > * at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138)* > > Is there a way to configure validation to trust non-selfsigned CA ?
I guess that if you import only the Intermediate CA cert into your JKS as trusted certificate , certificate path validation doesn't required any more. > Best Regards, > Claude
