-
Enhancement
-
Resolution: Other
-
P3
-
7u76, 9
When attempting to establish an SSL connection with SSLSocket, the CA and
intermediate CA is checked against JRE's CAcerts or another file pointed by
javax.net.ssl.trustStore.
For customers that have a large installed base and their own CA (root or
intermediate) this is a problem, as their CA certificates have to be
installed on each machine's cacerts, every time Java is updated.
A better solution is to search the browser's CA trust store and user level
cacerts in addition to JRE's cacerts, as it would allow the customer to add
their own CA to the browser trust store via GPO or to the user level CA certs
(which survive Java updates).
intermediate CA is checked against JRE's CAcerts or another file pointed by
javax.net.ssl.trustStore.
For customers that have a large installed base and their own CA (root or
intermediate) this is a problem, as their CA certificates have to be
installed on each machine's cacerts, every time Java is updated.
A better solution is to search the browser's CA trust store and user level
cacerts in addition to JRE's cacerts, as it would allow the customer to add
their own CA to the browser trust store via GPO or to the user level CA certs
(which survive Java updates).