Description of problem: There seems to be applets out there (e.g. the WebEx meeting) that is signed with the VeriSign Class 3 Public Primary Certification Authority but openjdk does not recognise this as a trusted CA. Is this intentional? Version-Release number of selected component (if applicable): java-1.6.0-openjdk-1.6.0.0-59.1.10.3.fc15 How reproducible: Every time Steps to Reproduce: 1. firefox http://www.webex.com/lp/jointest/?elq=809f7a3332a347a0a231ef24c8b40d9c 2. Try to join the meeting 3. Watch the warning
Seems the JVM gets it's certs from /etc/pki/java/cacerts
Some more details on the missing cert: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Validity: [From: Fri Jul 16 03:00:00 EEST 2004, To: Wed Jul 16 02:59:59 EEST 2014] CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US SHA1 Fingerprint: 19:7A:4A:EB:DB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4
Our authoritative source for trusted root CAs is Mozilla; this root is not in there, so we don't ship it. Not much more we can do about this; we don't want to start vetting individual CA roots in Fedora.
Fair enough. For what it's worth, I've now filed the same question with mozilla in https://bugzilla.mozilla.org/show_bug.cgi?id=676799
http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html ;)