The Certification Path API is new for JDK 1.4. It is a set of functions for building and validating certification paths or chains. This is done implicitly in protocols like SSL/TLS (see What is Secure Sockets Layer/Transport Layer Security?) and JAR file signature verification, but can now be done explicitly in applications with this support.

As mentioned in What are digital certificates?, a CA can sign a certificate with its private key, and if the recipient holds the CA certificate that has the public key needed for signature verification, it can verify the validity of the signed certificate.

In this case, the chain of certificates is of length two -- the anchor of trust (the CA certificate) and the signed certificate. A self-signed certificate is of length one -- the anchor of trust is the signed certificate itself.

Chains can be of arbitrary length, so in a chain of three, a CA anchor of trust certificate can sign an intermediate certificate; the owner of this certificate can use its private key to sign another certificate. The CertPath API can be used to walk the chain of certificates to verify validity, as well as to construct these chains of trust.

Certificates have expiration dates, but can be compromised before they expire, so Certificate Revocation Lists (CRL) must be checked to really ensure the integrity of a signed certificate. These lists are available on the CA Web sites, and can also be programmatically manipulated with the CertPath API.

The specific API and code examples are beyond the scope of this tutorial, but Sun has several code examples available in addition to the API documentation.