FYI, removal of the "Thawte Premium Server CA" causes problems not only with openssl, but also when Java verifies certificates (e.g., when installing signed plugins in the Eclipse IDE).
Here's the output of jarsigner: > jarsigner -verify -certs -verbose > ./eclipse/plugins/com.codetrails.aether_1.14.0.v20160518-2203-b207.jar ... > [entry was signed on 5/19/16 12:08 AM] > X.509, CN=Codetrails GmbH, OU=IT Department, O=Codetrails GmbH, > L=Darmstadt, ST=Hessen, C=DE > [certificate is valid from 3/1/16 1:00 AM to 5/1/17 1:59 AM] > X.509, CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US > [certificate is valid from 12/10/13 1:00 AM to 12/10/23 12:59 AM] > X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For > authorized use only", OU=Certification Services Division, O="thawte, Inc.", > C=US > [certificate is valid from 11/17/06 1:00 AM to 12/31/20 12:59 AM] > X.509, EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server > CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, > ST=Western Cape, C=ZA > [certificate is valid from 8/1/96 2:00 AM to 1/2/21 12:59 AM] > [CertPath not validated: Path does not chain with any of the trust > anchors] With the keystore Oracle ships with Java 1.8.0_91 this verifies fine: > jarsigner -keystore cacerts.original -verify -certs -verbose > ./eclipse/plugins/com.codetrails.aether_1.14.0.v20160518-2203-b207.jar ... > [entry was signed on 5/19/16 12:08 AM] > X.509, CN=Codetrails GmbH, OU=IT Department, O=Codetrails GmbH, > L=Darmstadt, ST=Hessen, C=DE > [certificate is valid from 3/1/16 1:00 AM to 5/1/17 1:59 AM] > X.509, CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US > [certificate is valid from 12/10/13 1:00 AM to 12/10/23 12:59 AM] > X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For > authorized use only", OU=Certification Services Division, O="thawte, Inc.", > C=US > [certificate is valid from 11/17/06 1:00 AM to 12/31/20 12:59 AM] > X.509, EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server > CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, > ST=Western Cape, C=ZA (thawtepremiumserverca) > [certificate is valid from 8/1/96 2:00 AM to 1/2/21 12:59 AM] Note, however, that it doesn't find the "thawte Primary Root CA" *intermediate* certificate in its keystore, as no alias (like for "(thawtepremiumserverca)") is shown. However, the keystore shipped with Debian 8.4 *does* contain that intermediate certificate: > keytool -list -alias debian:thawte_primary_root_ca.pem -v -keystore > /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/cacerts ... > Alias name: debian:thawte_primary_root_ca.pem > Creation date: Apr 6, 2016 > Entry type: trustedCertEntry > > Owner: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized > use only", OU=Certification Services Division, O="thawte, Inc.", C=US > Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized > use only", OU=Certification Services Division, O="thawte, Inc.", C=US > Serial number: 344ed55720d5edec49f42fce37db2b6d If this were found by jarsigner, then everything would be fine; that the root certificate is not trusted is immaterial, as an intermediate certificate already is. But unfortunately that's not the case. :-( Hope that helps. Andreas -- Codetrails GmbH The knowledge transfer company Robert-Bosch-Str. 7, 64293 Darmstadt Phone: +49-6151-276-7092 Mobile: +49-170-811-3791 http://www.codetrails.com/ Managing Director: Dr. Marcel Bruch Handelsregister: Darmstadt HRB 91940
