BEA-090898 – Unsupported OID in the AlgorithmIdentifier Object

This error shows up  in our OSB logs all the time:

<BEA-090898> <Ignoring the trusted CA certificate “CN=KEYNECTIS ROOT CA,  OU=ROOT,O=KEYNECTIS,C=FR”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

There aren’t any relevant results when searching for the BEA-090898, but Oracle Support has a note that mentions the cause of the PKIX: Unsupported OID in the AlgorithmIdentifier object error. This is the cause according to support:

Recent updates to the Sun JDK (Java Developer Kit) (versions: 1.6.0_13 and 1.5.0_18) are incompatible with the SSL (Secure Socket Layer) implementation in the following versions of Oracle WebLogic Server:

• 11gR1 (10.3.1)
• 10gR3 (10.3.0)
• 10.0 and all maintenance releases of 10.0
• 9.0, 9.1, 9.2 and all maintenance releases of 9.2 prior to 9.2 MP4

Oracle JRockit versions from R27.6.4 (1.6.0_13 and 1.5.0_18) and higher also exhibit this issue.

The solution is to install one of the following patches after upgrading the Java JDK. Note: this issue should be fixed in Weblogic server 10.3.2 and above.

If you still encounter the problem after patching, try one of the following solutions:

1) Select your Server in the Weblogic Console -> SSL -> Advanced -> set “Enable JSSE” to true. Restart your weblogic.
2) Replace the trust store file of jdkjrelibsecuritycacerts with one from earlier JDK (Oracle Doc ID 952078.1).
3) check the contents in the keystore file by issueing the following command: keytool -list -keystore .keystore
Delete the invalid certificates with “keytool -delete -alias mydomain -keystore keystore.jks”