On Mon, 27 Apr 2026 21:30:22 GMT, Artur Barashev <[email protected]> wrote:
>> test/jdk/javax/net/ssl/ServerName/SNIWildcardMatching.java line 173: >> >>> 171: Certificate[] chain = new Certificate[2]; >>> 172: chain[0] = keyCertificate; >>> 173: chain[1] = trustedCertificate; >> >> The trusted certificate is usually not included in the chain. Remove? > > We need the same `trustedCertificate` in the key stores of both the client > and the server to trust each other. To verify that the server certificate chain is trusted, the client uses the `setCertificateEntry` entry you set up a few lines before. It does not need to be included in the chain. See [CriticalSubjectAltName.java](https://github.com/openjdk/jdk/blob/3e5b5dde7ad14d49371cf58f3238c71091b4d0a2/test/jdk/javax/net/ssl/HttpsURLConnection/CriticalSubjectAltName.java#L157-L159) for an example that does not include trustedCertificate in the chain. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30927#discussion_r3152443719
