Certpath issues often get thrown up to the end user in the form of an exception. Here's an example : java.security.cert.CertificateException: Certificates does not conform to algorithm constraints Unfortunately, that doesn't give us too much information. People want to know exactly what went wrong. Was it an invalid Algorithm issue, was it an invalid keySize issue, etc. Here's the issue in SSLContextImpl : } catch (CertPathValidatorException cpve) { throw new CertificateException( "Certificates does not conform to algorithm constraints"); } The cpve here contains valuable information. Example[1] Can we pass it in as 2nd argument to CertificateException ? Examples of info lost : [1] AlgorithmChecker.java // Check the current signature algorithm if (!constraints.permits( SIGNATURE_PRIMITIVE_SET, currSigAlg, currSigAlgParams)) { throw new CertPathValidatorException( "Algorithm constraints check failed: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);