Проверка цепочки сертификатов при проверке подписи:

private static void validateAllCerts(X509Certificate certificate, List<X509Certificate> rootCerts) {
        //проверка подписи rootCerts:
        for (X509Certificate cert : rootCerts) {
            X509Certificate caCert = Verify.getValidCaCert(cert, rootCerts);
            if (caCert == null) {
                throw new RuntimeException("Error: root certificates is not validated");
            }            
        }
        //проверка сертификата подписанта:
        X509Certificate caCert = Verify.getValidCaCert(certificate, rootCerts);
        if (caCert == null) {
            throw new RuntimeException("Error: user certificate is not validated");
        }
    }


    public static X509Certificate getValidCaCert(X509Certificate signerCert, List<X509Certificate> caCerts) {
        for (X509Certificate cert : caCerts) {
            try {
                if (signerCert.getIssuerX500Principal().equals(cert.getSubjectX500Principal())) {
                    //проверить подпись:
                    signerCert.verify(cert.getPublicKey(), GammaTechProvider.PROVIDER_NAME);
                    return cert;
                }
            } catch (Exception e) {

            }
        }
        return null;
    }

