Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of
Brought to you by:
kleiner77
Menu
▾
▴
Re: [Hbci4java-help] java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
|
From: HBCI4Java (S. Palme) <hbc...@ka...> - 2010-01-11 17:13:35
|
Hi, On Mon, 2010-01-11 at 17:43 +0100, Marcus Wolschon wrote: > I was using 1.6.0.07 . > The certificate is the one Comdirect uses. I have no > idea how to obtain that as I have no client nor code that > can open an SSL-dialog for FinTS/HBCI and save the certificate > to a PEM or DER -file. Try to open the HBCI-PIN/TAN URL in the browser. This will give you an error (because you did not send a valid HBCI message), but nevertheless you can examine the certificate details, and especially examine the certificate CHAIN. For each certificate in the chain, check if it is contained in the Java-cacert-file. If not, go to the website of the corresponding CA - there you can download the certificates... > I know that it is possible to add a certificate with keytool but > a) that does not cover the important part of > optaining the certificate in the first place See above. > b) that is not "inside the program" but would > require an advanced user that can be trusted to > perform such operations on the command-line > without help. > ... > How do you combine "not an option" and "the only way"? > Both are mutually exclusive answers. I thought about the following solution: YOU (as the developer of your special application) fetch the missing certificate(s) and create a cacert-style file from them using Java's keytool. This cacert-style file you could include in your application. You could set the certfile-kernel-parameter by default to point to the file provided by you. So no user of your application must do anything complicated. Regarding "not an option" and "the only way": I've meant, in general it is of course not a real solution to include all bank-certificates in your own application (you have written: "I don´t think it´s an option to ship and update the certificates of every bank the user could configure with the software." - this is exactly what I mean). But the only way IN THIS SPECIAL CASE (i.e. where ONE bank has a new certificate whose root certificate is not yet in the cacert-file of an older Java version) is to provide a cacert-style file for yourself. > 1.6.0.07 I know their HTTP-certificare is a EV.cert from VeriSign > but I have no idea about their FinTS -certificate This is probably the same certificate, because in most cases the SSL decryption layer is far before the decision which backend- application has to handle the incoming request. As already said above: try to open the HBCI-PIN/TAN-URL in your browser and examine the SSL certificate... Regards -stefan- |
