Debugging java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

Why? You may have a certificate with SHA1RSA key size less than 1024 bits or you have a certificate in your chain that uses MD2RSA.

Explanation? MD2 was widely recognized as insecure and thus disabled in Java in version JDK 7 onwards. If you check the “java.security” file under “$JAVA_HOME/jre/lib/security”, you will see a line as shown below. This means disable MD2 for all and RSA for certs with key size less than 1024 bits.

So, if you have a cert that is less than 1024 bits, you can this error.

How to find the certificate key size?

Step 1: Download the certificate via the browser (e.g. Google Chrome) by hitting the URL, clicking on the lock symbol to save the cert as say myapp.cer.

Step 2: Use the OpenSSL tool to find the size of the key.

This will print the cert details and the key size.

FIX

1. Get a certificate with key size 1024 or greater.

2. Change the following line in “java.security” file under “$JAVA_HOME/jre/lib/security”

FROM:

TO:


800+ Java & Big Data Interview Q&As

Top