Before I evaluate your request, I have a question. If the certificate
contains the same public key, subject and SAN, why does validation fail?
--Sean
On 7/14/25 1:58 AM, Pooja D P wrote:
Subject: Observation on CertPath Duplicate Trust Anchor Behavior and Suggestion
to Improve Debug Messaging.
Hi Team,
When we were working on customer case where the customer is using a self-signed
certificate for a TLS server and has added this certificate to the trust store
to trust it. However, the customer encounters an issue when they attempt to
establish a TLS connection. Even though the server presents the correct
certificate and the valid trust store contains the matching certificate, the
client still encounters a validation exception.
The root cause appears to be that at customer application level it
automatically generates its own self-signed certificate for localhost and adds
it to the trust store. This internally generated certificate shares the same
subject, public key, and SANs as the customer’s TLS server certificate — but
has a different serial number.
When CertPath processing occurs, it detects these two certificates as
duplicates. The code uses the first match it finds, which in this case is the
default newly created self-signed certificate by the application — not the one
actually used by the customer’s server. As a result, the certificate validation
fails.
During investigation, it is observed that enabling CertPath debugging using:
"-Djava.security.debug=certpath" results in the following message:
debug.println("cert with repeated subject, " +
"public key, and subjectAltNames detected");
This above message is generated from the following code in the OpenJDK:
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java#L583
Observation is that the addVertices method eventually invokes repeated(), which
compares each certificate against the cpListCert list. The debug message in its
current form provides minimal insight into what was detected as a duplicate.
Suggestion/Can be Improved as below:
debug.println("Certificate with repeated subject, public key, and subjectAltNames
detected: " + cert);
This small change would provide better traceability and help users identify
which certificate is being considered a duplicate — making debugging clearer
and avoiding ambiguity.
While this may not be a common customer scenario, but the enhancement is simple
to implement and would significantly improve the clarity of debugging in
certificate-related issues.
Please let me know your thoughts on this.
Thanks,
Pooja D P
