javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Are you getting this error? This simply means that the web server or the URL you are connecting to does not have a valid certificate from an authorized CA. But however, being a programmer you would want to find out the alternative way to solve this issue.

What you need to do is to import the server certificate and install it in your JDK's keystore. If I am talking greek, its ok. I too just leant this. Just follow these steps and you will be able to get rid of that error.

1. First of all you copy the URL that you are connecting to and paste it in your browser. Let us say you are using IE. Just paste the url in the address bar and press enter.

2. You will now probably see a dialog box warning you about the certificate. Now click on the 'View Certificate' and install the certificate. Ignore any warning messages.

3. Now that the server certificate is installed in your computer, your browser will not warn you when you visit the same site again. But however your JRE dumb as it is does not yet know about this certificate's existence until you add it to its keystore. Usually you will use the keytool to manage certificates. Keytool is a command-line utility with numerous arguments that allow you to create and manage keystores for housing digital certificates. For the complete documentation of keytool,http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html

4. You can list the current certificates contained within a keystore using they keytool -list command. The initial password for the cacerts keystore is changeit. For example:

C:\Program Files\Citrix\Citrix Extranet Server\SGJC\jre\bin>keytool -list -keystore ..\lib\security\cacerts

Enter keystore password: changeit

You will then see the something like this:

Keystore type: jks

Keystore provider: SUN

Your keystore contains 11 entries:

engweb, Wed Apr 11 16:22:49 EDT 2001, trustedCertEntry,

Certificate fingerprint (MD5): 8C:24:DA:52:7A:4A:16:4B:8E:FB:67:44:C9:D2:E4:16

thawtepersonalfreemailca, Fri Feb 12 15:12:16 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9

thawtepersonalbasicca, Fri Feb 12 15:11:01 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41

verisignclass3ca, Mon Jun 29 13:05:51 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D

thawteserverca, Fri Feb 12 15:14:33 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D

thawtepersonalpremiumca, Fri Feb 12 15:13:21 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D

verisignclass4ca, Mon Jun 29 13:06:57 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10

verisignclass1ca, Mon Jun 29 13:06:17 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20

verisignserverca, Mon Jun 29 13:07:34 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

thawtepremiumserverca, Fri Feb 12 15:15:26 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A

verisignclass2ca, Mon Jun 29 13:06:39 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

 

5. Now you have to add the previosly installed certificate to this keystore. To add, begin by exporting your CA Root certificate as a DER-encoded binary file and save it as C:\root.cer. (you can view the installed certificates under Tools->'Internet Options' ->Content->Certificates. Once you open the certificates, locate the one you just installed under 'Trusted Root Certification Authorities". Select the right one and click on 'export'. You can now save it (DER encoded binary) under your c: drive.

6. Then use the keytool -import command to import the file into your cacerts keystore. 

    For example:-alias myprivateroot -keystore ..\lib\security\cacerts -file c:\root.cer

Enter keystore password: changeit

Owner: CN=Division name, OU=Department, O=Your Company, L=Anytown,

ST=NC, C=US, EmailAddress=you@company.com

Issuer: CN=Division name, OU=Department, O=Your Company, L=Anytown,

ST=NC, C=US, EmailAddress=you@company.com

Serial number: 79805d77eecfadb147e84f8cc2a22106

Valid from: Wed Sep 19 14:15:10 EDT 2001 until: Mon Sep 19 14:23:20 EDT 2101

Certificate fingerprints:

MD5: B6:30:03:DC:6D:73:57:9B:F4:EE:13:16:C7:68:85:09

SHA1: B5:C3:BB:CA:34:DF:54:85:2A:E9:B2:05:E0:F7:84:1E:6E:E3:E7:68

Trust this certificate? [no]: yes

Certificate was added to keystore

7. Now run keytool -list again to verify that your private root certificate was added:

C:\Program Files\Citrix\Citrix Extranet Server\SGJC\jre\bin>keytool -list -keystore ..\lib\security\cacerts

You will now see a list of all the certificates including the one you just added.

This confirms that your private root certificate has been added to the Extranet server cacerts keystore as a trusted certificate authority.

2007-07-12

Comments(39)

1.	Thanks ! I found it very useful ! By: Rownak Ehsan at 2008-04-29 00:50:10
2.	Hello, your post helped me a lot with solving my own problem. But I still have some open questions, e.g. how could I get the certificate without the browser. But anyway, thanks. By: Florian Brunner at 2008-06-26 08:59:42
3.	Your post helped me to resolve the SSH exception..Thank you By: Ashwini at 2008-07-14 12:47:32
4.	Great!! But when I use wscompile to create stub,I get the following error : javax.net.ssl.SSLKeyException: RSA premaster secret error wscompile -keep -gen:client -d classes -s src config-wsdl.xml error: modeler error: failed to parse document at "https://?WSDL": javax.net.ssl.SSLKeyException: RSA premaster secret error Thx By: Baven at 2008-07-22 15:55:52
5.	Thank you! This article helped me to solve this problem which I had no idea what to do with. By: Stan Devyatovsky at 2008-09-12 05:20:20
6.	Thx, this helped a lot. How can I Import all the certificates from a old Java version to the new one? today I updated to version xx.xxx.07 and all previous added certificates are gone in this Version. Import everyone manually again is a little bit boring. By: Marko at 2008-10-09 01:32:37
7.	Thankx, the information was of great use, I appreciate the way things are explained By: sachin at 2008-12-13 03:37:11
8.	Thank You So Much ^,^ I get rid of that error By: moji junk at 2009-02-24 07:48:19
9.	Appriciated, The information is very useful and straight forward even for new developer. By: Bala Gummadi at 2009-02-24 10:01:50
10.	Thanks. Your post was clear and worked perfectly as I stumbled across this problem today. Suma. By: Suma at 2009-03-05 09:40:08
11.	This is really helpful. By: srikanth at 2009-03-11 08:04:04
12.	Good ,I like here！ I send gmail with javamail ,hava this exception ,it\'s very bad! who can help me!! thanks! jackhexl@gmail.com By: jackhexl at 2009-04-02 03:29:44
13.	Thank you very much!!! But I have the same error ("javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: ") yet :( By: Gemis at 2009-04-14 02:37:08
14.	Thanks a lot! This really helped!!! By: SuperSeppel13 at 2009-04-14 04:25:06
15.	Muchas gracias por compartir informacion. :) By: Anonymous at 2009-05-21 08:48:47
16.	Thanks it really works good Continue By: vipul at 2009-07-14 02:21:18
17.	Your example is clear crisp and very helpful.. By: sridhar at 2009-08-06 08:41:14
18.	Thanks a lot Ramlak! This is still very useful after 2 years of original posting today on 9 Aug 2009 ! Just one more question, if we don't have I.E. (e.g. firefox don't seem to have export option) how can i export the certificate? Thanks. By: Jacky at 2009-08-08 23:49:12
19.	Thanks, it worked. By: Deepak Varier at 2009-08-19 03:38:07
20.	A big thanks to Ramlak for the detailed and crisp solution. By: Chidanand Gangur at 2009-08-27 06:02:16
21.	Gracias, it worked. By: Eduardo at 2009-09-09 12:16:30
22.	Nearly perfect help, but the path I had to use was $JAVA_HOME/jre/lib/security/cacerts instead of $JAVA_HOME/lib/security/cacerts Thanks Martin By: Martin Zeltner at 2009-09-15 04:15:19
23.	Thank you very much for your help!! By: Ajay Singh at 2009-10-21 22:17:21
24.	Hallo. And if the certificate is self-signed so I haven't a CA root? How do I have to proceed? Thanks, Mario By: Mario at 2009-11-11 08:42:46
25.	Just used InstallCert.java successfully so that my build server's Hudson could connect to Jira using the Hudson Jira plugin. My company's Jira instance is on SSL. Thanks! By: Anthony Pelosi at 2009-12-30 15:52:17
26.	Great details you provided here, very straight forward to follow. Cheers. By: Jackie Wong at 2010-02-05 10:52:25
27.	Thank you for Very good article. By: Pakornsak S at 2010-02-08 04:35:05
28.	Thank you for your help ! By: vadym at 2010-03-03 06:35:01
29.	But I have the same error ("javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: ") yet By: azeemuddin at 2010-03-04 07:25:33
30.	This is by far the easiest way I have yet seem, many thanks. I was continually messing around trying to get SSL configured correctly and this will save me a lot of time and effort. I think I also had to restart the server for the JVM to pick up the new certificate. By: doahh at 2010-03-08 11:23:48
31.	Thanks. But I've also had to use $JAVA_HOME/jre/lib/security/cacerts Thanks Martin Zeltner! By: Alex at 2010-03-15 04:17:09
32.	Thanks a lot! simple and clear explanation! Great! By: Fabio Henrique at 2010-03-29 15:23:56
33.	excellent, very clear, thx!!! By: ma at 2010-04-07 07:42:47
34.	Your post was very informative... Thanks a lot. My problem finally got solved By: Rohit Shaw at 2010-04-12 04:29:02
35.	Thanks Your solution helped me a lot :) By: sendhil at 2010-05-28 01:12:41
36.	Your solution is really helped me. Thanks for your information. By: Rajakumar at 2010-05-31 06:05:53
37.	Thanks muchas gracias Excellent By: Alfredo at 2010-05-31 09:00:36
38.	Really great way of explanation..... :) Thanks..... By: akram at 2010-07-08 04:07:17
39.	hi, Thanks to the post. I am stuck on step 2. the warning dialog is not getting when try the same url on IE. And the certificate is not listed in Options->content.. any help ? By: david_david at 2010-08-21 01:10:19

Your name (required):


Your email(required, will not be shown to the public):


Your sites URL (optional):


Your comments:

Enter Code: