GoDaddy SSL Cert Not Working With Java

Question

UPDATE 1/26/2015 -- It appears the most recent JRE/JDK for Java 8 (update >= 31) and JRE/JDK for Java 7 now include the Godaddy G2 CA server in the default trust st

Answer 1

It sounds like your mail server is not signed by Go Daddy Class 2 Certification Authority, but is actually signed by one of their intermediate certificate authorities. You will need to verify this for yourself. Assuming this is the case...

In theory, your software should work - since the intermediate certificate is signed by the class 2 authority and you have the class 2 authority in the default JDK certificate store. However, I have found that it just does not work unless you also add the intermediate certificate to your certificate store. Here is a link to a blog post describing a similar experience:

http://drcs.ca/blog/adding-godaddy-intermediate-certificates-to-java-jdk/

Here is a direct link to more GoDaddy intermediate certificates: https://certs.godaddy.com/anonymous/repository.pki

I cannot advise on exactly which certificate you must add - it depends on which CA is used in your mail server.

[update]

is there a way to do this programmically?

Maybe. Depends on what you want to do. I have used the java.security.KeyStore class to automatically update a private keystore directly from Java code without using keytool. It is conceptually simple - load the keystore from a file, read the new certificate, add it to the keystore and then write out the keystore to new file. However it takes a while to get the details right and it may not be worth the trouble just to import a single certificate.

Still, it is interesting to try. Checkout KeyStore JavaDoc and read up on the load, store and setCertificateEntry methods.