Oracle JDK 7 does not have StartCom as a Root Certificate

[matthesrieke]

Hey enviroCar folks,

I am using this as a not-so-public discussion on an annyoing issue I faced when creating a WPS process that interacts with the enviroCar-server API.

While developing the process (on my local machine) everything worked like a charm - certificates got validated without any issue. When deploying the process on our geoprocessing.demo.52north.org VM (Oracle JDK 6 installed) the process failed due to SSLExceptions. I then upgraded to the latest JDK 7u45, but still the issues persisted.

Investigations on the JVM keystore with keytool -list -v -keystore %JAVA_HOME%/jre/lib/security/cacerts showed that our StartCom Class 2 Root Certificate is NOT shipped with the current most up-to-date JVM from Oracle. Though, OpenJDK has it! Shame on you, Oracle!

So, this is kind of bad as a quite big amount of Java devs will use the Oracle JVM.

Maybe, this could still be an issue with our certifciate? Its common name is set to dev.envirocar.org?: https://www.ssllabs.com/ssltest/analyze.html?d=envirocar.org

Any comments or thoughts on how to deal with this?

[autermann]

It's not a issue of our certificate, but StartCom/Oracle's fault (I don't know the actual process of including CA's in the JRE).

IMHO there are only three alternatives:

• Switch the SSL certificate provider.
• Put instructions in a prominent place, but I don't think potential developers would like to mess with their installation or is able to just use OpenJDK.
• Reenable HTTP access.

[autermann]

There is a fourth alternative: provide a Java client library using a preconfigured keystore. That option of course would take a lot more work… But in the beginning it could just include a HTTPS client…

[nuest]

@staschc Maybe you can link your findings here or find something useful in the discussion.