PKIX path building failed

This blog will discuss how to Import Public Certificates into Java’s trustStore.

When a server changed its HTTPS SSL certificate, our older version of Java did not recognize the root certificate authority (CA). and got the below error.

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To Fix Problem

We need to Import the root certificate of a certificate authority (CA who signs or generates the HTTPS/SSL certificate for the website ) in Java trustStore which is in jre/lib/security/cacerts.

We can get the root certificate in two ways.

1. Export from a browser.
2. using OpenSSL in the Command Line.

Suppose we are getting SSLHandshakeException while connecting the www.google.com

Step 1

Export from a browser like Chrome.

Export Using OpenSSL in the Command Line

echo | openssl s_client -connect "www.google.com:443"  2>/dev/null | openssl x509 > certificate.pem

Step 2

Import the .crt or .pem file in the Java trustStore using Java keytool

Change the alias in the below command before executing.

/jre/bin/keytool -importcert -cacerts -noprompt -alias <alias> -file certificate.pem -storepass changeit

Done. Now you can restart your Java Application.

Java SSL Tools

For doing in an easy way you can use java-ssl-tools (jssl)

To ping, install, or uninstall the certificate.