The PKIX standards define an algorithm for validating certification paths consisting of X.509 certificates.Often a user may not have a certification path from a most-trusted CA to the subject.Helpful comments and advice were received from many in the technical community, especially Mary Dageforde, Edward Dobner, Tom Gindin, Jan Luehe, David Kuehr-Mc Laren, Parag Salvi, Alexei Semidetnov, and Yanni Zhang.This document is intended for two classes of experienced developers: Users of public key applications and systems must be confident that a subject's public key is genuine, i.e., that the associated private key is owned by the subject.Refer to JSR 55: Certification Path API for more information.
A public key (or identity) certificate is a binding of a public key to an identity, which is digitally signed by the private key of another entity, often called a Certification Authority (CA).
The Java Certification Path API consists of classes and interfaces for handling certification paths (also known as "certificate chains").
A certification path is an ordered list of certificates.
If a certification path meets certain validation rules, it may be used to securely establish the mapping of a public key to a subject.
This API defines interfaces and abstract classes for creating, building, and validating certification paths.
This logic can be applied recursively, until a chain of certificates (or a certification path) is discovered from a general, a certification path is an ordered list of certificates, usually comprised of the end-entity's public key certificate and zero or more additional certificates.