Hi,
I got the following pki chain Root CA>Intermediate CA>Client signing
certificate
A suggested by Colm, I have set in my truststore my Intermediate CA and my
Root CA.
However, by doing this, CRL verification doesn't work. In fact, it seems to
validate my Intermediate CA against the Root CA crl while I'm only
interested to verify the client certificate.
I'm not sure how revocation validation works but it seems to validate CRL
for every certificate(except the Root).
However, I don't know how to specify multiple CRL in WSS4J or if it
possible to merge 2 crl files into a common one ?
I have provided 2 logs. The first one with the Intermediate CA CRL. We can
see that validation of the Intermediate CA against Root CRL failed since
it's not provided.
The second one is with the Root CA CRL. Intermediate CA validation succeed
but the signing certificate then failed...
Best Regards,
Claude
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: 1001
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() =
EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX,
L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA
XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ...
[sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 2
certpath: after processing, maxPathLength = 0
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy
ROOT
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Fri Sep 30 15:00:27 CEST 2016...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: EMAILADDRESS=admin....@xxxxx.be,
CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE; subject:
EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX,
L=YYYYYYYY, ST=BE-WAL, C=BE; serial#: 4102
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 1006
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
certpath: RevocationChecker.checkCRLs() possible crls.size() = 1
certpath: RevocationChecker.verifyPossibleCRLs: Checking CRLDPs for
EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX,
L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: DistributionPointFetcher.verifyCRL: checking revocation status for
SN: 1006
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: crl issuer does not equal cert issuer.
crl issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
cert issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: RevocationChecker.checkCRLs() approved crls.size() = 0
certpath: RevocationChecker.verifyWithSeparateSigningKey() ---checking
revocation status...
certpath: RevocationChecker.buildToNewKey() starting work
certpath: RevocationChecker.buildToNewKey() about to try build ...
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 4096 bits
modulus:
757166756920510850997438207962088916609872109946431433989296078075602042220926394398551390769796831728193939711432842903511941214272932573852285275214179034859597330550625319193222892469576120689553765468370807601568112808231170096169082168537885589705895635713872210702012004031523682425346774112051846622975766184689108058747030284172103686999628109676661081273300346026871487086419873440925490418296627889153228600749069045235201490403093579068581219338418214563423834747140480706763866533598954533186301390391504835198904804515297259711341125345343616216876266388561532680302139092424862894388754173131931360747990553434424080584611817372860470883957785955617393396886007780299439606976794197171784551750449989137136450952764774331895562614623824410593840038662630739590101772629540710106067636115228545775821291964937689049803601060809618898096037566392083301156186898033787487790990589635839070770198854379434975664058447764825424043023290046329250044517866360146347831039228646359661897336382422059098059715013345418130799828323256965239802596387260629979651828295864600680796174885606259621560594875267986406858568948915562913236871335712337741810905351171912586559081609414113067312668314495018742520277440859836517309032729
public exponent: 65537
Validity: [From: Wed Nov 05 11:34:40 CET 2014,
To: Sat Nov 02 11:34:40 CET 2024]
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
SerialNumber: [ 1001]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4F 8C A2 FD F3 04 ED B0 2A E7 BB B0 51 A9 51 DC O.......*...Q.Q.
0010: 6C FD FA 1C l...
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 20 BB 9E DF D0 08 D9 9B F4 FF BE 70 DC 1B 22 92 ..........p..".
0010: D5 16 7F 93 9F 58 12 3C DE 57 7D 35 DC DB 83 65 .....X.<.W.5...e
0020: C2 5D A9 08 4A 34 51 9B 6E D5 08 36 92 5A FE 32 .]..J4Q.n..6.Z.2
0030: FE B1 EE 31 51 D2 CE 94 C4 7C 22 04 7A DB F3 B7 ...1Q.....".z...
0040: D5 C3 AF F5 AB 5F A0 59 C0 88 A6 DA E2 97 3B 77 ....._.Y......;w
0050: E0 C2 A3 7A ED 89 CB 2B 40 BB 19 9D B4 26 CA 79 ...z...+@....&.y
0060: 08 32 1F 14 D3 C2 6E 7F 1A 77 27 56 D8 79 EC FC .2....n..w'V.y..
0070: 2A 76 77 21 90 E1 E8 1D 0D A0 71 7D 1B 0E 40 12 *vw!......q...@.
0080: 9F 29 46 51 1B C2 1D EB 7E 29 FE 9F 4F 68 78 D9 .)FQ.....)..Ohx.
0090: C7 62 F7 8D F5 97 B0 38 52 42 7B 91 E8 DA 4E C5 .b.....8RB....N.
00A0: 13 50 D6 43 E5 09 24 F6 0A 75 BC 9E 40 68 BF 83 .P.C..$..u..@h..
00B0: 4E B3 A7 04 18 6B 00 E9 8C E8 05 61 22 EE 66 DF N....k.....a".f.
00C0: E8 D2 F8 2F 3C 38 F9 69 91 F2 7C FF B9 A6 A4 21 .../<8.i.......!
00D0: DF E6 F3 33 72 92 A1 EA E9 C4 4E 75 BF 35 16 B5 ...3r.....Nu.5..
00E0: B8 54 E9 D5 23 3A ED 4D C1 E1 1E 19 CA B7 8B 45 .T..#:.M.......E
00F0: A2 78 5E 32 C4 35 D0 D0 75 04 99 0A 62 E3 38 9C .x^2.5..u...b.8.
0100: 79 E8 BF D5 F8 56 D5 8B D6 E1 3A 91 50 10 25 23 y....V....:.P.%#
0110: 90 B8 4E AB CD 3B 4D C3 D2 35 88 AF 7E 54 4E FA ..N..;M..5...TN.
0120: 21 61 30 8D CF 17 AE C4 D3 71 E0 A6 C5 4B C3 B6 !a0......q...K..
0130: 7D 20 A0 5C 7B 43 59 AC A2 4A 8B 29 21 F1 11 86 . .\.CY..J.)!...
0140: DF 4D E5 38 8A B7 61 A1 48 6D 5C E3 AD F5 A1 D8 .M.8..a.Hm\.....
0150: E2 3E D6 13 DC 56 58 26 FA 21 A2 49 64 03 00 E3 .>...VX&.!.Id...
0160: 01 C9 3F 37 03 72 77 E2 01 A8 78 DF 79 41 00 60 ..?7.rw...x.yA.`
0170: A7 C0 1B B3 65 53 7A BA 46 BE 8E 56 6F 82 35 85 ....eSz.F..Vo.5.
0180: 30 85 6E 2B E9 2C 77 AD 24 B7 CF CB D1 8C B6 15 0.n+.,w.$.......
0190: AF CB 40 BD 54 4A 83 C5 27 EA 86 7F 8B FC E6 F3 ..@.TJ..'.......
01A0: 86 62 75 0D 06 3D E1 33 2C 13 00 93 46 BD CA BE .bu..=.3,...F...
01B0: EF CF FF C8 60 1F C3 42 FF 81 80 42 67 F7 2D 23 ....`..B...Bg.-#
01C0: AF 53 DC C0 06 A7 BC 31 D5 3D 10 C6 E6 5A C2 55 .S.....1.=...Z.U
01D0: B8 F3 51 75 3D A7 07 7C DA 6B DE 54 3E D4 B5 A4 ..Qu=....k.T>...
01E0: 72 D6 3B 73 F1 BB 9D E4 F2 90 91 E7 A3 50 CA B9 r.;s.........P..
01F0: 1F C5 77 1C 73 97 8C 72 44 7C CB 05 93 0C 68 A7 ..w.s..rD.....h.
]
]
Initial Policy OIDs: any
Validity Date: Fri Sep 30 15:00:27 CEST 2016
Signature Provider: null
Default Revocation Enabled: false
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: RejectKeySelector: [
X509CertSelector: [
Subject:
1.2.840.113549.1.9.1=#161261646d696e2e73736c40666f72656d2e6265,CN=Root CA
XXXXX,OU=DSI,O=LE XXXXX,L=YYYYYYYY,ST=BE-WAL,C=BE
matchAllSubjectAltNames flag: true
Key Usage: KeyUsage [
Crl_Sign
]
][Sun RSA public key, 4096 bits
modulus:
757166756920510850997438207962088916609872109946431433989296078075602042220926394398551390769796831728193939711432842903511941214272932573852285275214179034859597330550625319193222892469576120689553765468370807601568112808231170096169082168537885589705895635713872210702012004031523682425346774112051846622975766184689108058747030284172103686999628109676661081273300346026871487086419873440925490418296627889153228600749069045235201490403093579068581219338418214563423834747140480706763866533598954533186301390391504835198904804515297259711341125345343616216876266388561532680302139092424862894388754173131931360747990553434424080584611817372860470883957785955617393396886007780299439606976794197171784551750449989137136450952764774331895562614623824410593840038662630739590101772629540710106067636115228545775821291964937689049803601060809618898096037566392083301156186898033787487790990589635839070770198854379434975664058447764825424043023290046329250044517866360146347831039228646359661897336382422059098059715013345418130799828323256965239802596387260629979651828295864600680796174885606259621560594875267986406858568948915562913236871335712337741810905351171912586559081609414113067312668314495018742520277440859836517309032729
public exponent: 65537]]
Certification Path Checkers: [[]]
CertStores: [[java.security.cert.CertStore@1728442,
java.security.cert.CertStore@1d8b312]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath:
SunCertPathBuilder.depthFirstSearchForward(EMAILADDRESS=admin....@xxxxx.be,
CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 1006
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1003
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: 1001
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: 1006
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1003
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again
searching all certstores
certpath: SunCertPathBuilder.buildForward()...
certpath:
SunCertPathBuilder.depthFirstSearchForward(EMAILADDRESS=admin....@xxxxx.be,
CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 1006
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1003
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: 1001
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: 1006
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1003
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: AdaptableX509CertSelector.match: subject key IDs don't match.
Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, -80, 81,
-87, 81, -36, 108, -3, -6, 28] Cert's: [4, 20, -113, -75, -53, -32, -56, -33,
25, -117, -83, -65, 99, -87, -122, -61, -48, -111, -30, -80, 80, -99]
certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate()...
certpath: AdaptableX509CertSelector.match: subject key IDs don't match.
Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, -80, 81,
-87, 81, -36, 108, -3, -6, 28] Cert's: [4, 20, -113, -75, -53, -32, -56, -33,
25, -117, -83, -65, 99, -87, -122, -61, -48, -111, -30, -80, 80, -99]
certpath: NO - don't try this trustedCert
certpath: X509CertSelector.match(SN: 1001
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() =
EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX,
L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA
XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ...
[sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 2
certpath: after processing, maxPathLength = 0
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy
ROOT
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Fri Sep 30 15:06:38 CEST 2016...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: EMAILADDRESS=admin....@xxxxx.be,
CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE; subject:
EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX,
L=YYYYYYYY, ST=BE-WAL, C=BE; serial#: 4102
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 1006
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
certpath: RevocationChecker.checkCRLs() possible crls.size() = 1
certpath: RevocationChecker.verifyPossibleCRLs: Checking CRLDPs for
EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX,
L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: DistributionPointFetcher.verifyCRL: checking revocation status for
SN: 1006
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: X509CertSelector.match(SN: 1006
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: RevocationChecker.checkCRLs() approved crls.size() = 1
certpath: RevocationChecker.checkApprovedCRLs() starting the final sweep...
certpath: RevocationChecker.checkApprovedCRLs() cert SN: 4102
certpath: -checker7 validation succeeded
certpath:
cert1 validation succeeded.
certpath: Checking cert2 - Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai,
OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE
certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker3 validation succeeded
certpath: -Using checker4 ...
[sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 2, maxPathLength = 0
certpath: after processing, maxPathLength = 0
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = null
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Fri Sep 30 15:06:38 CEST 2016...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: EMAILADDRESS=admin....@xxxxx.be,
CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE;
subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE; serial#: 4099
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 1003
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
certpath: RevocationChecker.checkCRLs() possible crls.size() = 1
certpath: RevocationChecker.verifyPossibleCRLs: Checking CRLDPs for
EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE
certpath: DistributionPointFetcher.verifyCRL: checking revocation status for
SN: 1003
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: crl issuer does not equal cert issuer.
crl issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
cert issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
certpath: RevocationChecker.checkCRLs() approved crls.size() = 0
certpath: RevocationChecker.verifyWithSeparateSigningKey() ---checking
revocation status...
certpath: RevocationChecker.buildToNewKey() starting work
certpath: RevocationChecker.buildToNewKey() about to try build ...
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 4096 bits
modulus:
757166756920510850997438207962088916609872109946431433989296078075602042220926394398551390769796831728193939711432842903511941214272932573852285275214179034859597330550625319193222892469576120689553765468370807601568112808231170096169082168537885589705895635713872210702012004031523682425346774112051846622975766184689108058747030284172103686999628109676661081273300346026871487086419873440925490418296627889153228600749069045235201490403093579068581219338418214563423834747140480706763866533598954533186301390391504835198904804515297259711341125345343616216876266388561532680302139092424862894388754173131931360747990553434424080584611817372860470883957785955617393396886007780299439606976794197171784551750449989137136450952764774331895562614623824410593840038662630739590101772629540710106067636115228545775821291964937689049803601060809618898096037566392083301156186898033787487790990589635839070770198854379434975664058447764825424043023290046329250044517866360146347831039228646359661897336382422059098059715013345418130799828323256965239802596387260629979651828295864600680796174885606259621560594875267986406858568948915562913236871335712337741810905351171912586559081609414113067312668314495018742520277440859836517309032729
public exponent: 65537
Validity: [From: Wed Nov 05 11:34:40 CET 2014,
To: Sat Nov 02 11:34:40 CET 2024]
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
SerialNumber: [ 1001]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4F 8C A2 FD F3 04 ED B0 2A E7 BB B0 51 A9 51 DC O.......*...Q.Q.
0010: 6C FD FA 1C l...
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 20 BB 9E DF D0 08 D9 9B F4 FF BE 70 DC 1B 22 92 ..........p..".
0010: D5 16 7F 93 9F 58 12 3C DE 57 7D 35 DC DB 83 65 .....X.<.W.5...e
0020: C2 5D A9 08 4A 34 51 9B 6E D5 08 36 92 5A FE 32 .]..J4Q.n..6.Z.2
0030: FE B1 EE 31 51 D2 CE 94 C4 7C 22 04 7A DB F3 B7 ...1Q.....".z...
0040: D5 C3 AF F5 AB 5F A0 59 C0 88 A6 DA E2 97 3B 77 ....._.Y......;w
0050: E0 C2 A3 7A ED 89 CB 2B 40 BB 19 9D B4 26 CA 79 ...z...+@....&.y
0060: 08 32 1F 14 D3 C2 6E 7F 1A 77 27 56 D8 79 EC FC .2....n..w'V.y..
0070: 2A 76 77 21 90 E1 E8 1D 0D A0 71 7D 1B 0E 40 12 *vw!......q...@.
0080: 9F 29 46 51 1B C2 1D EB 7E 29 FE 9F 4F 68 78 D9 .)FQ.....)..Ohx.
0090: C7 62 F7 8D F5 97 B0 38 52 42 7B 91 E8 DA 4E C5 .b.....8RB....N.
00A0: 13 50 D6 43 E5 09 24 F6 0A 75 BC 9E 40 68 BF 83 .P.C..$..u..@h..
00B0: 4E B3 A7 04 18 6B 00 E9 8C E8 05 61 22 EE 66 DF N....k.....a".f.
00C0: E8 D2 F8 2F 3C 38 F9 69 91 F2 7C FF B9 A6 A4 21 .../<8.i.......!
00D0: DF E6 F3 33 72 92 A1 EA E9 C4 4E 75 BF 35 16 B5 ...3r.....Nu.5..
00E0: B8 54 E9 D5 23 3A ED 4D C1 E1 1E 19 CA B7 8B 45 .T..#:.M.......E
00F0: A2 78 5E 32 C4 35 D0 D0 75 04 99 0A 62 E3 38 9C .x^2.5..u...b.8.
0100: 79 E8 BF D5 F8 56 D5 8B D6 E1 3A 91 50 10 25 23 y....V....:.P.%#
0110: 90 B8 4E AB CD 3B 4D C3 D2 35 88 AF 7E 54 4E FA ..N..;M..5...TN.
0120: 21 61 30 8D CF 17 AE C4 D3 71 E0 A6 C5 4B C3 B6 !a0......q...K..
0130: 7D 20 A0 5C 7B 43 59 AC A2 4A 8B 29 21 F1 11 86 . .\.CY..J.)!...
0140: DF 4D E5 38 8A B7 61 A1 48 6D 5C E3 AD F5 A1 D8 .M.8..a.Hm\.....
0150: E2 3E D6 13 DC 56 58 26 FA 21 A2 49 64 03 00 E3 .>...VX&.!.Id...
0160: 01 C9 3F 37 03 72 77 E2 01 A8 78 DF 79 41 00 60 ..?7.rw...x.yA.`
0170: A7 C0 1B B3 65 53 7A BA 46 BE 8E 56 6F 82 35 85 ....eSz.F..Vo.5.
0180: 30 85 6E 2B E9 2C 77 AD 24 B7 CF CB D1 8C B6 15 0.n+.,w.$.......
0190: AF CB 40 BD 54 4A 83 C5 27 EA 86 7F 8B FC E6 F3 ..@.TJ..'.......
01A0: 86 62 75 0D 06 3D E1 33 2C 13 00 93 46 BD CA BE .bu..=.3,...F...
01B0: EF CF FF C8 60 1F C3 42 FF 81 80 42 67 F7 2D 23 ....`..B...Bg.-#
01C0: AF 53 DC C0 06 A7 BC 31 D5 3D 10 C6 E6 5A C2 55 .S.....1.=...Z.U
01D0: B8 F3 51 75 3D A7 07 7C DA 6B DE 54 3E D4 B5 A4 ..Qu=....k.T>...
01E0: 72 D6 3B 73 F1 BB 9D E4 F2 90 91 E7 A3 50 CA B9 r.;s.........P..
01F0: 1F C5 77 1C 73 97 8C 72 44 7C CB 05 93 0C 68 A7 ..w.s..rD.....h.
]
]
Initial Policy OIDs: any
Validity Date: Fri Sep 30 15:06:38 CEST 2016
Signature Provider: null
Default Revocation Enabled: false
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: RejectKeySelector: [
X509CertSelector: [
Subject: 1.2.840.113549.1.9.1=#161261646d696e2e73736c40666f72656d2e6265,CN=CA
XXXXX ESB SIGN ACC,OU=DSI,O=LE XXXXX,L=YYYYYYYY,ST=BE-WAL,C=BE
matchAllSubjectAltNames flag: true
Key Usage: KeyUsage [
Crl_Sign
]
][Sun RSA public key, 4096 bits
modulus:
668074444479579212089918154233908530842928728453308085832521176384800291920203983159623307067239501543814850567490324319634665637774635564488812550438900738544735282044547332807364838031597719013527290192614300839501985000532700478987841696480438534428339582690406801567120119871551019806806075955420008686160219583380258782420423663887155100274323753850964223271069940538748282115935489499616321801158325818953588954491362695081595685501821923098374459954386140516168810097550613446832616462015555278613491670561638502502190355897663691350071699057338372390042873197703150374793939460417851859074299686712365765082996478942512466433726727548434566733568483222665387932825694383072167628694136083798727749414960859178217658952347161074149530169525605502652088326269694532813531483495567135401919422998949325668242562925231463327847923732661341986442166461554553712973443119559942600870102483638976341371110905006384647976977140057128670042780069069991994401565811136775829429611901984809822201322671107634817563513222134122536575279247437717701499137959033636485640359029817179500745288528667590761041014020009800634737910433110759786460152174925083242651186433919029813485368790624801682775310407639250866771478267415580883531472389
public exponent: 65537]]
Certification Path Checkers: [[]]
CertStores: [[java.security.cert.CertStore@10cb5a1,
java.security.cert.CertStore@181a6c2]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath:
SunCertPathBuilder.depthFirstSearchForward(EMAILADDRESS=admin....@xxxxx.be,
CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE,
State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 1006
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match: not an EE cert
certpath: X509CertSelector.match(SN: 1003
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: 1001
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1006
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: 1003
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again
searching all certstores
certpath: SunCertPathBuilder.buildForward()...
certpath:
SunCertPathBuilder.depthFirstSearchForward(EMAILADDRESS=admin....@xxxxx.be,
CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE,
State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 1006
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match: not an EE cert
certpath: X509CertSelector.match(SN: 1003
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: 1001
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1006
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE
XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: 1003
Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI,
O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE
Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY,
ST=Some-State, C=BE)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
