Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

[Rolf V. <ro...@we...>]

> Ok,
> Issue solved.
>
> I had the validateCert=0 setting in there but it was not in effect.
> The bank switched CAs and the CA they chose this time is not in
> the default Java-Truststore sun provides.
> I changes the settings so validateCert is not actually in effect
> and it works.

Well, that's great to hear, but still, it would be more safe and clean if you would provide the users with a keystore that contains all the necessary certificates, so if any user is tricked into connecting to a forged host (DNS poisoning or something similar), the application will cancel the connection. Simply accepting all possible hosts is not very safe and should only be a last resort IMHO.

You could start with the default Java keystore of the most recent Java SDK, and add everything that is needed for a connection to this bank, then ship the resulting keystore along with your code. If the code automatically uses your keystore, the user shouldn't have to do anything special. So it won't be a problem for the users, but more safe for them.

> Marcus