Hello, This problem might be more related to how java validate certificate but I give a try here. My client certificate chain is Root CA>Intermediate CA> client Cert. I wish to only trust certificate coming from Intermediate CA and not the Root CA. However, I have noticed that the PKI validator(which is the default one) called by the Merlin failed to validate : *Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Error during certificate path validation: Path does not chain with any of the trust anchors* * at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)* * at com.sun.proxy.$Proxy34.submit(Unknown Source)* * at client.OffresEmploiClientSigning.doCall(OffresEmploiClientSigning.java:87)* * at client.OffresEmploiClientSigning.main(OffresEmploiClientSigning.java:65)* * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)* * at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)* * at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)* * at java.lang.reflect.Method.invoke(Method.java:606)* * at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)* *Caused by: org.apache.cxf.binding.soap.SoapFault: Error during certificate path validation: Path does not chain with any of the trust anchors* * at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:86)* * at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:52)* * at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:41)* * at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)* * at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)* * at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)* * at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)* * at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)* * at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)* * at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1645)* * at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533)* * at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336)* * at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)* * at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)* * at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)* * at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)* * at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)* * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)* * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)* * at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)* * at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)* * at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138)*
Is there a way to configure validation to trust non-selfsigned CA ? Best Regards, Claude
