Why do I need to add intermediate CA certificates to JVM's cacerts file?

The problem you describe happens usually if the server only sends its leaf certificate and does not add all the chain certificates needed to build the trust chain to the root CA. Unfortunately this is a common misconfiguration of servers.

Many desktop browser work around this problem if they already know the missing chain certificate from earlier visits or maybe download the missing certificate if the leaf certificate contains a URL for CA issuers in authority information access. But this behavior is usually restricted to desktop browsers and other tools simply fail because they cannot build the trust chain.


The Oracle JRE can automatically download the intermediate certificate:

Support for the Authority Information Access (AIA) Extension

Support for the caIssuers access method of the Authority Information Access extension is available. It is disabled by default for compatibility and can be enabled by setting the system property com.sun.security.enableAIAcaIssuers to the value true.

If set to true, Sun's PKIX implementation of CertPathBuilder uses the information in a certificate's AIA extension (in addition to CertStores that are specified) to find the issuing CA certificate, provided it is a URI of type ldap, http, or ftp.

Note: Depending on your network and firewall setup, it may be necessary to also configure your networking proxy servers as described in the networking documentation.

(Source: Oracle, "Java PKI Programmer's Guide".)