IBM Java Technology Edition, Version 7 Release 1 and earlier allowed for the creation of and the use of X.509 certificates with a null distinguished name (DN). X.509 certificates with a null DN are invalid because they are essentially certificates with no identity and may not be accepted by other products. While it is unlikely that you would be using an X.509 certificate with a null DN, it is possible. Because IBM Java Technology Edition, Version 8 and later no longer supports X.509 certificates with a null DN, Java keystores will not load and are unusable if they contain a null DN. Therefore, X.509 certificates with a null DN must be removed prior to migrating to IBM Java Technology Edition, Version 8 or later.
Before migrating to IBM Java Technology Edition, Version 8 or later, use Encryption Facility's list commands (-pA or -pK) to determine if you have any X.509 certificates with a null DN and then use Encryption Facility's delete commands (-xA or -xK) to remove them.
If you migrate to IBM Java Technology Edition, Version 8 or later before removing all X.509 certificates with a null DN, you will need to remove these with other tooling (for example, Java keytool) or migrate back to your previous IBM Java level and use Encryption Facility's delete commands (-xA or -xK) to remove them.
With the latest level of service, Encryption Facility checks for and does not allow the creation of a X.509 certificate with a null DN.
For more information, see http://www-01.ibm.com/support/docview.wss?uid=isg3T1022007.
