Table of Contents

This blog will discuss how to Import Public Certificates into Java’s trustStore.

When a server changed its HTTPS SSL certificate, our older version of Java did not recognize the root certificate authority (CA). and got the below error.

Caused by: PKIX path building failed: unable to find valid certification path to requested target

To Fix Problem

We need to Import the root certificate of a certificate authority (CA who signs or generates the HTTPS/SSL certificate for the website ) in Java trustStore which is in jre/lib/security/cacerts.

We can get the root certificate in two ways.

  1. Export from a browser.
  2. using OpenSSL in the Command Line.

Suppose we are getting SSLHandshakeException while connecting the

Step 1

Export from a browser like Chrome.

1. open and click on the lock icon button
2. Click on Certificate is Valid
3. Click On the Export Button.
4. Save the .crt file.

Export Using OpenSSL in the Command Line

echo | openssl s_client -connect ""  2>/dev/null | openssl x509 > certificate.pem
You Can Execute the above cmd in Linux Shell or Git Bash Shell On Windows.
For OpenSSL on Windows CheckOut this Url

Step 2

Import the .crt or .pem file in the Java trustStore using Java keytool

Change the alias in the below command before executing.

/jre/bin/keytool -importcert -cacerts -noprompt -alias <alias> -file certificate.pem -storepass changeit
The default password for this trust store is ‘changeit

Done. Now you can restart your Java Application.

Java SSL Tools

For doing in an easy way you can use java-ssl-tools (jssl)

To ping, install, or uninstall the certificate.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to BugFix.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.