Every WebLogic Server installation comes with SSL support. But for some reason many installations get this interesting error message at startup:
Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
This looks odd and many people ignore these error messages. However, if your strategy is to show real error messages only, you are quickly looking for a solution. The Internet is full of possible solutions. Some recommend to remove the certificates from the JDK trust store, some recommend to use a different trust store. But is this the best solution and what are the side effects?
Our way to the solution starts by understanding the error message. Here it is again.
Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
The first sentence is the result while the second sentence explains the reason. Looking at the reason, we quickly find the “certificate parsing exception“. But what does “PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11” tell us?
With this background information we can lookup the number 1.2.840.113549.1.1.11 in the OID Repository (see References for the link) and get this result “iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha256WithRSAEncryption(11)“.
Combining the certificate information in the first sentence and the information from the OID lookup we have the following result:
The certificate from CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US uses SHA256WithRSAEncryption which is not supported by the JDK!
You will probably see more messages for similar or different encryption algorithms used in other certificates.
These factors cause this (and similar) error messages:
The Certicomm implementation works perfectly with many SSL certificates but does not support newer and stronger algorithms. Removing certificates from the default trust store or using a new trust store works only if you do not need to install third party certificates, for example from well known Certificate Authorities.
To remove these error messages and support newer SSL certificates we have to do these steps:
CONFIG_JVM_ARGS=’-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true’
JAVA_OPTIONS=’-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true’
Your Java and WebLogic environment is now ready to support newer SSL certificates!
Enjoy!
All site content is the property of Oracle Corp. Redistribution not allowed without written permission
Note: The above document is from our A-Team chronicles page and not official Oracle documentation: