Search code examples
sslssl-certificateroot-certificate

Why is my QuoVadis certificate not valid in a Java app?

I‘ve a signed server certificate by QuoVadis. If I access my server with the browser everything is fine, but if I try it from a Java app or via NodeJS script I receive an issue that my certificate path couldn’t be validated?

What is the reason? My thought is, that some certification authorities like QuoVadis or others root CA are included in Java etc, isn’t it?

Solution

  • ... certification authorities like QuoVadis or others root CA are included in Java etc, isn't it?

    For Java, it varies. Oracle (formerly Sun) builds of Java by default use their own set of root CAs, in the file JRE/lib/security/cacerts which is installed as part of Java, but this file can be modified and Java processes (JVMs) or programs can override the default. OpenJDK varies; some builds similarly default to cacerts, while some default to a cert store provided by the platform they use, such as Linux or MacOS. You didn't say what Java and/or platform(s) you use.

    For 'etc' it varies even more. NodeJS uses OpenSSL, which similarly has a default that can depend on build and/or platform. You don't give details or any clue what the other things(?) are.

    However, more likely this isn't the root cert at all. All public CAs, including QuoVadis, issue end-entity or 'leaf' certs that require use of at least one intermediate or 'chain cert' for validation, and sometimes more than one. (All) TLS standards require the server to send this chain cert (or these certs) as part of the handshake, and every CA I have seen gives instructions on which chain cert(s) to use, e.g. in this case https://support.quovadisglobal.com/kb/a469/understanding-the-trust-link-downloads-page.aspx . However, since many servers are operated by people who never read or follow instructions, most major browsers have workarounds that allow them to build and validate the cert chain even when the server breaks the rules. Java and NodeJS/OpenSSL clients (among others) do not do this, so if the server fails to send the correct chain they fail validation.

    If this is a public HTTPS server, https://www.ssllabs.com/ssltest will tell you, in addition to (much) other info about the TLS implementation and configuration, whether the server is sending or missing chain cert(s). For other servers, there are other tools, but the ones I know require some thought or knowledge by the user.