Erwin Müller Blog

StartSSL Free Class 1 Certificate with Java Keystore

Recently I switched to the StartSSL free class 1 certificate for my sites because for one obvious reason: it is free. So, after a long pause, I started to work on my Java software projects again and my SimpleRest (a simple library that allows access to various REST APIs like for Owncloud and Oanda, based on Apache Http Components and FasterXML Jackson) Java project threw SSLHandshakeException when trying to connect to my site to run some tests. I though that is likely because the StartSSL CA was not included in the JDK keystore. But since I am running Debian Sid the StartSSL certificates are included.

It turns out that we need also the StartCom Class 1 DV Server CA certificate so that the free Class 1 certificate is validated. We can do that by downloading the server CA certificate and add it to the keystore (the store password mypass needs to be replaced with the actual password).

After that, everything should work fine. My guess is that Debian did not included the Class 1 certificate for the reason that it is free and thus is less secure than the for-pay certificates.


Leave a Reply