Hi, I got the following pki chain Root CA>Intermediate CA>Client signing certificate A suggested by Colm, I have set in my truststore my Intermediate CA and my Root CA. However, by doing this, CRL verification doesn't work. In fact, it seems to validate my Intermediate CA against the Root CA crl while I'm only interested to verify the client certificate. I'm not sure how revocation validation works but it seems to validate CRL for every certificate(except the Root). However, I don't know how to specify multiple CRL in WSS4J or if it possible to merge 2 crl files into a common one ? I have provided 2 logs. The first one with the Intermediate CA CRL. We can see that validation of the Intermediate CA against Root CRL failed since it's not provided. The second one is with the Root CA CRL. Intermediate CA validation succeed but the signing certificate then failed...
Best Regards, Claude
certpath: PKIXCertPathValidator.engineValidate()... certpath: X509CertSelector.match(SN: 1001 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match returning: true certpath: YES - try this trustedCert certpath: anchor.getTrustedCert().getSubjectX500Principal() = EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 - Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19} certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage... certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified. certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 1, maxPathLength = 2 certpath: after processing, maxPathLength = 0 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 1 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT certpath: PolicyChecker.processPolicies() no policies present in cert certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking timestamp:Fri Sep 30 15:00:27 CEST 2016... certpath: timestamp verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE; subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE; serial#: 4102 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker] certpath: RevocationChecker.check: checking cert SN: 1006 Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: RevocationChecker.checkCRLs() ---checking revocation status ... certpath: RevocationChecker.checkCRLs() possible crls.size() = 1 certpath: RevocationChecker.verifyPossibleCRLs: Checking CRLDPs for EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: DistributionPointFetcher.verifyCRL: checking revocation status for SN: 1006 Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: crl issuer does not equal cert issuer. crl issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE cert issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: RevocationChecker.checkCRLs() approved crls.size() = 0 certpath: RevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status... certpath: RevocationChecker.buildToNewKey() starting work certpath: RevocationChecker.buildToNewKey() about to try build ... certpath: SunCertPathBuilder.engineBuild([ [ Trust Anchors: [[ Trusted CA cert: [ [ Version: V3 Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 4096 bits modulus: 757166756920510850997438207962088916609872109946431433989296078075602042220926394398551390769796831728193939711432842903511941214272932573852285275214179034859597330550625319193222892469576120689553765468370807601568112808231170096169082168537885589705895635713872210702012004031523682425346774112051846622975766184689108058747030284172103686999628109676661081273300346026871487086419873440925490418296627889153228600749069045235201490403093579068581219338418214563423834747140480706763866533598954533186301390391504835198904804515297259711341125345343616216876266388561532680302139092424862894388754173131931360747990553434424080584611817372860470883957785955617393396886007780299439606976794197171784551750449989137136450952764774331895562614623824410593840038662630739590101772629540710106067636115228545775821291964937689049803601060809618898096037566392083301156186898033787487790990589635839070770198854379434975664058447764825424043023290046329250044517866360146347831039228646359661897336382422059098059715013345418130799828323256965239802596387260629979651828295864600680796174885606259621560594875267986406858568948915562913236871335712337741810905351171912586559081609414113067312668314495018742520277440859836517309032729 public exponent: 65537 Validity: [From: Wed Nov 05 11:34:40 CET 2014, To: Sat Nov 02 11:34:40 CET 2024] Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE SerialNumber: [ 1001] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] [2]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] [3]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 4F 8C A2 FD F3 04 ED B0 2A E7 BB B0 51 A9 51 DC O.......*...Q.Q. 0010: 6C FD FA 1C l... ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 20 BB 9E DF D0 08 D9 9B F4 FF BE 70 DC 1B 22 92 ..........p..". 0010: D5 16 7F 93 9F 58 12 3C DE 57 7D 35 DC DB 83 65 .....X.<.W.5...e 0020: C2 5D A9 08 4A 34 51 9B 6E D5 08 36 92 5A FE 32 .]..J4Q.n..6.Z.2 0030: FE B1 EE 31 51 D2 CE 94 C4 7C 22 04 7A DB F3 B7 ...1Q.....".z... 0040: D5 C3 AF F5 AB 5F A0 59 C0 88 A6 DA E2 97 3B 77 ....._.Y......;w 0050: E0 C2 A3 7A ED 89 CB 2B 40 BB 19 9D B4 26 CA 79 ...z...+@....&.y 0060: 08 32 1F 14 D3 C2 6E 7F 1A 77 27 56 D8 79 EC FC .2....n..w'V.y.. 0070: 2A 76 77 21 90 E1 E8 1D 0D A0 71 7D 1B 0E 40 12 *vw!......q...@. 0080: 9F 29 46 51 1B C2 1D EB 7E 29 FE 9F 4F 68 78 D9 .)FQ.....)..Ohx. 0090: C7 62 F7 8D F5 97 B0 38 52 42 7B 91 E8 DA 4E C5 .b.....8RB....N. 00A0: 13 50 D6 43 E5 09 24 F6 0A 75 BC 9E 40 68 BF 83 .P.C..$..u..@h.. 00B0: 4E B3 A7 04 18 6B 00 E9 8C E8 05 61 22 EE 66 DF N....k.....a".f. 00C0: E8 D2 F8 2F 3C 38 F9 69 91 F2 7C FF B9 A6 A4 21 .../<8.i.......! 00D0: DF E6 F3 33 72 92 A1 EA E9 C4 4E 75 BF 35 16 B5 ...3r.....Nu.5.. 00E0: B8 54 E9 D5 23 3A ED 4D C1 E1 1E 19 CA B7 8B 45 .T..#:.M.......E 00F0: A2 78 5E 32 C4 35 D0 D0 75 04 99 0A 62 E3 38 9C .x^2.5..u...b.8. 0100: 79 E8 BF D5 F8 56 D5 8B D6 E1 3A 91 50 10 25 23 y....V....:.P.%# 0110: 90 B8 4E AB CD 3B 4D C3 D2 35 88 AF 7E 54 4E FA ..N..;M..5...TN. 0120: 21 61 30 8D CF 17 AE C4 D3 71 E0 A6 C5 4B C3 B6 !a0......q...K.. 0130: 7D 20 A0 5C 7B 43 59 AC A2 4A 8B 29 21 F1 11 86 . .\.CY..J.)!... 0140: DF 4D E5 38 8A B7 61 A1 48 6D 5C E3 AD F5 A1 D8 .M.8..a.Hm\..... 0150: E2 3E D6 13 DC 56 58 26 FA 21 A2 49 64 03 00 E3 .>...VX&.!.Id... 0160: 01 C9 3F 37 03 72 77 E2 01 A8 78 DF 79 41 00 60 ..?7.rw...x.yA.` 0170: A7 C0 1B B3 65 53 7A BA 46 BE 8E 56 6F 82 35 85 ....eSz.F..Vo.5. 0180: 30 85 6E 2B E9 2C 77 AD 24 B7 CF CB D1 8C B6 15 0.n+.,w.$....... 0190: AF CB 40 BD 54 4A 83 C5 27 EA 86 7F 8B FC E6 F3 ..@.TJ..'....... 01A0: 86 62 75 0D 06 3D E1 33 2C 13 00 93 46 BD CA BE .bu..=.3,...F... 01B0: EF CF FF C8 60 1F C3 42 FF 81 80 42 67 F7 2D 23 ....`..B...Bg.-# 01C0: AF 53 DC C0 06 A7 BC 31 D5 3D 10 C6 E6 5A C2 55 .S.....1.=...Z.U 01D0: B8 F3 51 75 3D A7 07 7C DA 6B DE 54 3E D4 B5 A4 ..Qu=....k.T>... 01E0: 72 D6 3B 73 F1 BB 9D E4 F2 90 91 E7 A3 50 CA B9 r.;s.........P.. 01F0: 1F C5 77 1C 73 97 8C 72 44 7C CB 05 93 0C 68 A7 ..w.s..rD.....h. ] ] Initial Policy OIDs: any Validity Date: Fri Sep 30 15:00:27 CEST 2016 Signature Provider: null Default Revocation Enabled: false Explicit Policy Required: false Policy Mapping Inhibited: false Any Policy Inhibited: false Policy Qualifiers Rejected: true Target Cert Constraints: RejectKeySelector: [ X509CertSelector: [ Subject: 1.2.840.113549.1.9.1=#161261646d696e2e73736c40666f72656d2e6265,CN=Root CA XXXXX,OU=DSI,O=LE XXXXX,L=YYYYYYYY,ST=BE-WAL,C=BE matchAllSubjectAltNames flag: true Key Usage: KeyUsage [ Crl_Sign ] ][Sun RSA public key, 4096 bits modulus: 757166756920510850997438207962088916609872109946431433989296078075602042220926394398551390769796831728193939711432842903511941214272932573852285275214179034859597330550625319193222892469576120689553765468370807601568112808231170096169082168537885589705895635713872210702012004031523682425346774112051846622975766184689108058747030284172103686999628109676661081273300346026871487086419873440925490418296627889153228600749069045235201490403093579068581219338418214563423834747140480706763866533598954533186301390391504835198904804515297259711341125345343616216876266388561532680302139092424862894388754173131931360747990553434424080584611817372860470883957785955617393396886007780299439606976794197171784551750449989137136450952764774331895562614623824410593840038662630739590101772629540710106067636115228545775821291964937689049803601060809618898096037566392083301156186898033787487790990589635839070770198854379434975664058447764825424043023290046329250044517866360146347831039228646359661897336382422059098059715013345418130799828323256965239802596387260629979651828295864600680796174885606259621560594875267986406858568948915562913236871335712337741810905351171912586559081609414113067312668314495018742520277440859836517309032729 public exponent: 65537]] Certification Path Checkers: [[]] CertStores: [[java.security.cert.CertStore@1728442, java.security.cert.CertStore@1d8b312]] ] Maximum Path Length: 5 ] ) certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE, State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: X509CertSelector.match(SN: 1006 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 1003 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA certpath: X509CertSelector.match(SN: 1001 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match returning: true certpath: RejectKeySelector.match: bad key certpath: X509CertSelector.match(SN: 1006 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 1003 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0 certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again searching all certstores certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE, State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: X509CertSelector.match(SN: 1006 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 1003 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA certpath: X509CertSelector.match(SN: 1001 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match returning: true certpath: RejectKeySelector.match: bad key certpath: X509CertSelector.match(SN: 1006 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 1003 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0 certpath: AdaptableX509CertSelector.match: subject key IDs don't match. Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, -80, 81, -87, 81, -36, 108, -3, -6, 28] Cert's: [4, 20, -113, -75, -53, -32, -56, -33, 25, -117, -83, -65, 99, -87, -122, -61, -48, -111, -30, -80, 80, -99] certpath: NO - don't try this trustedCert
certpath: PKIXCertPathValidator.engineValidate()... certpath: AdaptableX509CertSelector.match: subject key IDs don't match. Expected: [4, 20, 79, -116, -94, -3, -13, 4, -19, -80, 42, -25, -69, -80, 81, -87, 81, -36, 108, -3, -6, 28] Cert's: [4, 20, -113, -75, -53, -32, -56, -33, 25, -117, -83, -65, 99, -87, -122, -61, -48, -111, -30, -80, 80, -99] certpath: NO - don't try this trustedCert certpath: X509CertSelector.match(SN: 1001 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match returning: true certpath: YES - try this trustedCert certpath: anchor.getTrustedCert().getSubjectX500Principal() = EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 - Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19} certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage... certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified. certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 1, maxPathLength = 2 certpath: after processing, maxPathLength = 0 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 1 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT certpath: PolicyChecker.processPolicies() no policies present in cert certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking timestamp:Fri Sep 30 15:06:38 CEST 2016... certpath: timestamp verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE; subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE; serial#: 4102 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker] certpath: RevocationChecker.check: checking cert SN: 1006 Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: RevocationChecker.checkCRLs() ---checking revocation status ... certpath: RevocationChecker.checkCRLs() possible crls.size() = 1 certpath: RevocationChecker.verifyPossibleCRLs: Checking CRLDPs for EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: DistributionPointFetcher.verifyCRL: checking revocation status for SN: 1006 Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: X509CertSelector.match(SN: 1006 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: RevocationChecker.checkCRLs() approved crls.size() = 1 certpath: RevocationChecker.checkApprovedCRLs() starting the final sweep... certpath: RevocationChecker.checkApprovedCRLs() cert SN: 4102 certpath: -checker7 validation succeeded certpath: cert1 validation succeeded. certpath: Checking cert2 - Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19} certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 2, maxPathLength = 0 certpath: after processing, maxPathLength = 0 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = null certpath: PolicyChecker.processPolicies() no policies present in cert certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking timestamp:Fri Sep 30 15:06:38 CEST 2016... certpath: timestamp verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE; subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE; serial#: 4099 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker] certpath: RevocationChecker.check: checking cert SN: 1003 Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: RevocationChecker.checkCRLs() ---checking revocation status ... certpath: RevocationChecker.checkCRLs() possible crls.size() = 1 certpath: RevocationChecker.verifyPossibleCRLs: Checking CRLDPs for EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE certpath: DistributionPointFetcher.verifyCRL: checking revocation status for SN: 1003 Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: crl issuer does not equal cert issuer. crl issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE cert issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE certpath: RevocationChecker.checkCRLs() approved crls.size() = 0 certpath: RevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status... certpath: RevocationChecker.buildToNewKey() starting work certpath: RevocationChecker.buildToNewKey() about to try build ... certpath: SunCertPathBuilder.engineBuild([ [ Trust Anchors: [[ Trusted CA cert: [ [ Version: V3 Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 4096 bits modulus: 757166756920510850997438207962088916609872109946431433989296078075602042220926394398551390769796831728193939711432842903511941214272932573852285275214179034859597330550625319193222892469576120689553765468370807601568112808231170096169082168537885589705895635713872210702012004031523682425346774112051846622975766184689108058747030284172103686999628109676661081273300346026871487086419873440925490418296627889153228600749069045235201490403093579068581219338418214563423834747140480706763866533598954533186301390391504835198904804515297259711341125345343616216876266388561532680302139092424862894388754173131931360747990553434424080584611817372860470883957785955617393396886007780299439606976794197171784551750449989137136450952764774331895562614623824410593840038662630739590101772629540710106067636115228545775821291964937689049803601060809618898096037566392083301156186898033787487790990589635839070770198854379434975664058447764825424043023290046329250044517866360146347831039228646359661897336382422059098059715013345418130799828323256965239802596387260629979651828295864600680796174885606259621560594875267986406858568948915562913236871335712337741810905351171912586559081609414113067312668314495018742520277440859836517309032729 public exponent: 65537 Validity: [From: Wed Nov 05 11:34:40 CET 2014, To: Sat Nov 02 11:34:40 CET 2024] Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE SerialNumber: [ 1001] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] [2]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] [3]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 4F 8C A2 FD F3 04 ED B0 2A E7 BB B0 51 A9 51 DC O.......*...Q.Q. 0010: 6C FD FA 1C l... ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 20 BB 9E DF D0 08 D9 9B F4 FF BE 70 DC 1B 22 92 ..........p..". 0010: D5 16 7F 93 9F 58 12 3C DE 57 7D 35 DC DB 83 65 .....X.<.W.5...e 0020: C2 5D A9 08 4A 34 51 9B 6E D5 08 36 92 5A FE 32 .]..J4Q.n..6.Z.2 0030: FE B1 EE 31 51 D2 CE 94 C4 7C 22 04 7A DB F3 B7 ...1Q.....".z... 0040: D5 C3 AF F5 AB 5F A0 59 C0 88 A6 DA E2 97 3B 77 ....._.Y......;w 0050: E0 C2 A3 7A ED 89 CB 2B 40 BB 19 9D B4 26 CA 79 ...z...+@....&.y 0060: 08 32 1F 14 D3 C2 6E 7F 1A 77 27 56 D8 79 EC FC .2....n..w'V.y.. 0070: 2A 76 77 21 90 E1 E8 1D 0D A0 71 7D 1B 0E 40 12 *vw!......q...@. 0080: 9F 29 46 51 1B C2 1D EB 7E 29 FE 9F 4F 68 78 D9 .)FQ.....)..Ohx. 0090: C7 62 F7 8D F5 97 B0 38 52 42 7B 91 E8 DA 4E C5 .b.....8RB....N. 00A0: 13 50 D6 43 E5 09 24 F6 0A 75 BC 9E 40 68 BF 83 .P.C..$..u..@h.. 00B0: 4E B3 A7 04 18 6B 00 E9 8C E8 05 61 22 EE 66 DF N....k.....a".f. 00C0: E8 D2 F8 2F 3C 38 F9 69 91 F2 7C FF B9 A6 A4 21 .../<8.i.......! 00D0: DF E6 F3 33 72 92 A1 EA E9 C4 4E 75 BF 35 16 B5 ...3r.....Nu.5.. 00E0: B8 54 E9 D5 23 3A ED 4D C1 E1 1E 19 CA B7 8B 45 .T..#:.M.......E 00F0: A2 78 5E 32 C4 35 D0 D0 75 04 99 0A 62 E3 38 9C .x^2.5..u...b.8. 0100: 79 E8 BF D5 F8 56 D5 8B D6 E1 3A 91 50 10 25 23 y....V....:.P.%# 0110: 90 B8 4E AB CD 3B 4D C3 D2 35 88 AF 7E 54 4E FA ..N..;M..5...TN. 0120: 21 61 30 8D CF 17 AE C4 D3 71 E0 A6 C5 4B C3 B6 !a0......q...K.. 0130: 7D 20 A0 5C 7B 43 59 AC A2 4A 8B 29 21 F1 11 86 . .\.CY..J.)!... 0140: DF 4D E5 38 8A B7 61 A1 48 6D 5C E3 AD F5 A1 D8 .M.8..a.Hm\..... 0150: E2 3E D6 13 DC 56 58 26 FA 21 A2 49 64 03 00 E3 .>...VX&.!.Id... 0160: 01 C9 3F 37 03 72 77 E2 01 A8 78 DF 79 41 00 60 ..?7.rw...x.yA.` 0170: A7 C0 1B B3 65 53 7A BA 46 BE 8E 56 6F 82 35 85 ....eSz.F..Vo.5. 0180: 30 85 6E 2B E9 2C 77 AD 24 B7 CF CB D1 8C B6 15 0.n+.,w.$....... 0190: AF CB 40 BD 54 4A 83 C5 27 EA 86 7F 8B FC E6 F3 ..@.TJ..'....... 01A0: 86 62 75 0D 06 3D E1 33 2C 13 00 93 46 BD CA BE .bu..=.3,...F... 01B0: EF CF FF C8 60 1F C3 42 FF 81 80 42 67 F7 2D 23 ....`..B...Bg.-# 01C0: AF 53 DC C0 06 A7 BC 31 D5 3D 10 C6 E6 5A C2 55 .S.....1.=...Z.U 01D0: B8 F3 51 75 3D A7 07 7C DA 6B DE 54 3E D4 B5 A4 ..Qu=....k.T>... 01E0: 72 D6 3B 73 F1 BB 9D E4 F2 90 91 E7 A3 50 CA B9 r.;s.........P.. 01F0: 1F C5 77 1C 73 97 8C 72 44 7C CB 05 93 0C 68 A7 ..w.s..rD.....h. ] ] Initial Policy OIDs: any Validity Date: Fri Sep 30 15:06:38 CEST 2016 Signature Provider: null Default Revocation Enabled: false Explicit Policy Required: false Policy Mapping Inhibited: false Any Policy Inhibited: false Policy Qualifiers Rejected: true Target Cert Constraints: RejectKeySelector: [ X509CertSelector: [ Subject: 1.2.840.113549.1.9.1=#161261646d696e2e73736c40666f72656d2e6265,CN=CA XXXXX ESB SIGN ACC,OU=DSI,O=LE XXXXX,L=YYYYYYYY,ST=BE-WAL,C=BE matchAllSubjectAltNames flag: true Key Usage: KeyUsage [ Crl_Sign ] ][Sun RSA public key, 4096 bits modulus: 668074444479579212089918154233908530842928728453308085832521176384800291920203983159623307067239501543814850567490324319634665637774635564488812550438900738544735282044547332807364838031597719013527290192614300839501985000532700478987841696480438534428339582690406801567120119871551019806806075955420008686160219583380258782420423663887155100274323753850964223271069940538748282115935489499616321801158325818953588954491362695081595685501821923098374459954386140516168810097550613446832616462015555278613491670561638502502190355897663691350071699057338372390042873197703150374793939460417851859074299686712365765082996478942512466433726727548434566733568483222665387932825694383072167628694136083798727749414960859178217658952347161074149530169525605502652088326269694532813531483495567135401919422998949325668242562925231463327847923732661341986442166461554553712973443119559942600870102483638976341371110905006384647976977140057128670042780069069991994401565811136775829429611901984809822201322671107634817563513222134122536575279247437717701499137959033636485640359029817179500745288528667590761041014020009800634737910433110759786460152174925083242651186433919029813485368790624801682775310407639250866771478267415580883531472389 public exponent: 65537]] Certification Path Checkers: [[]] CertStores: [[java.security.cert.CertStore@10cb5a1, java.security.cert.CertStore@181a6c2]] ] Maximum Path Length: 5 ] ) certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE, State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: X509CertSelector.match(SN: 1006 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match: not an EE cert certpath: X509CertSelector.match(SN: 1003 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA certpath: X509CertSelector.match(SN: 1001 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 1006 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match returning: true certpath: RejectKeySelector.match: bad key certpath: X509CertSelector.match(SN: 1003 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0 certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again searching all certstores certpath: SunCertPathBuilder.buildForward()... certpath: SunCertPathBuilder.depthFirstSearchForward(EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE, State [ issuerDN of last cert: null traversedCACerts: 0 init: true keyParamsNeeded: false subjectNamesTraversed: []] ) certpath: ForwardBuilder.getMatchingCerts()... certpath: ForwardBuilder.getMatchingEECerts()... certpath: X509CertSelector.match(SN: 1006 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match: not an EE cert certpath: X509CertSelector.match(SN: 1003 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts()... certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA certpath: X509CertSelector.match(SN: 1001 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 1006 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=Root CA XXXXX, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE) certpath: X509CertSelector.match returning: true certpath: RejectKeySelector.match: bad key certpath: X509CertSelector.match(SN: 1003 Issuer: EMAILADDRESS=admin....@xxxxx.be, CN=CA XXXXX ESB SIGN ACC, OU=DSI, O=LE XXXXX, L=YYYYYYYY, ST=BE-WAL, C=BE Subject: EMAILADDRESS=dsi....@xxxxx.be, CN=eai, OU=DSI, O=XXXXX, L=YYYYYYYY, ST=Some-State, C=BE) certpath: X509CertSelector.match: subject DNs don't match certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0