为什么java会在cacert.org上制作证书:"keyCertSign位未设置"？

Question

我在CAcert创建了一个SSL服务器证书.当我尝试从Java程序(下面)从此服务器获取页面时,我得到了

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set

有谁知道这可能导致什么？

• 我已经尝试创建由1类和3类根证书签名的证书,结果相同.
• 当我尝试从使用CAcert.org证书的其他两个站点获取页面时,不会发生错误:https://www.cacert.org 和https://pause.perl.org(让我相信root&来自cacert.org的3级证书已正确安装在我的系统上).
• 我可以在中看到cacert.org证书keytool -keystore /etc/ssl/certs/java/cacerts -list.
• 是的,我知道很少有网络浏览器附带cacert.org root和class 3证书.
• 证书是*.an.example.com(真实域编辑)的通配符证书.

这是我用来测试的Java代码:

class Test {
    public static void main(String args[]) throws Exception {
        java.net.URL url = new java.net.URL(args[0]);
        java.io.InputStream s = url.openStream();
    }
}

将完整的堆栈跟踪似乎不添加任何有用的信息.

该keytool(1)联机帮助确实提到了

Extensions can be marked critical to indicate that the extension should
be checked and enforced/used. For example, if a certificate has the
KeyUsage extension marked critical and set to "keyCertSign" then if this
certificate is presented during SSL communication, it should be rejected,
as the certificate extension indicates that the associated private key
should only be used for signing certificates and not for SSL use.

但我检查了证书,虽然"证书密钥用法"扩展名确实说"签名",但它也标记为"不严重".

对不起,我不想透露我的域名或证书,但如果有必要,我可以启动服务器进行测试.

Answer 1

原来是证书本身的问题。CAcert.org 的人们修复了它。耶！