CertPathValidator.validate is throwing CertPathValidatorException, with getMessage="basic constraints check failed: this is not a CA certificate", with getCertPath showing two certificates, the first certificate being mine and the second certificate being the root CA that mine was derived from, and with getIndex=1. The suspect root CA is also present in the cacerts that is passed via "params". Question is, how can one tell whether a certificate is a root CA or not? No method of java.security.cert.Certificate or X509Certificate appears to help. Thanks.