Search code examples
javasslhttpsbouncycastle

PKIXNameConstraintValidatorException: DNS is not from a permitted subtree

I am loading one of the ssl certificate from a .crt file to access one resource. But when I make the call to that intranet resource. I get following exception. Can someone suggest how to overcome this problem? Also can I disable a DNS check

...
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    ... 81 more
Caused by: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
    at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertBC(Unknown Source)
    at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
    ... 87 more
Caused by: org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException: DNS is not from a permitted subtree.
    at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermittedDNS(Unknown Source)
    at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermitted(Unknown Source)
Solution

  • I found answer to this problem, sharing if it saves time for anybody else. What is been observed is that in some cases only CA root certificate is not sufficient. But when other intermediate certs are also loaded then this issue didnt occur. So basically the whole chain certificates were needed to overcome this problem. As a combination of bouncy castle library upgrade and including whole chain certs worked for me.