It must be possible to add the missing chain at run time. But how? Is this correct?Nothing is impossible, you can read the JSSE reference guide for a complicated solution. But from my understanding, none is as simple/straightforward as importing intermediate certificates into the smart card. It's a inter-operational problem of the smart card that does not include intermediate certificates in.
EJP wrote:Because other people that don't know how to add something on the token will use similar tokens.It must be possible to add the missing chain at run time.Why on earth would you want to do that? The whole idea of the card is to store your security information. So store it.
2) I tried to add from java the missing chain directly into the pkcs11 key store but the message is:OK, that's the correct behaviors of secure smart card. The trust materials should be initialized during the smart card burning. The smart card burner should import the intermediate certificate during initialization.
"java.security.KeyStoreException: java.lang.UnsupportedOperationException: trusted certificates may only be set by token initialization application"
3) I created a new key store and I tried to store in it the missing chain and the certificate from the token, but the attempt failed as expected.
I can't move what is on the token on another key store because the private key cannot be moved.
Can this be done from java?I believe you can do it, by customizing the KeyManager, although it is not easy. I cannot help you more about a how-to, you'll have to research the pager by your team, or please contact Oracle consultant service.
I read a few things from JSSE reference guide but I'm not sure this is possible.