imported a certificate.pfx into cacerts and still getting "PKIX...unable to find valid certification path to requested target" error. What do?
I wrote a webservice client and now fail to get it to run through https. Although I imported the cert.pfx(alias=cert) into javas cacerts and succesfully added an entry with the certs alias.
Still i cant use the wsimport prompt on the wsdl url. It says: PKIX path building failed unable to find valid certification path to requested target. Well okay. So i researched a bit and tried setting it with
setlocal set _JAVA_OPTIONS=%_JAVA_OPTIONS%
-Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.7.0_79\jre\lib\security\cacerts"
-Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePassword=xxxxxxxxx -Djavax.net.ssl.keyStore="d:\cert.pfx" "C:\Program Files\Java\jdk1.7.0_79\bin\wsimport" -s C:\Users\me\keystore\bin\s
-keep https://service.xxxxxxxxxxx.de/xxxxxxxxxxxxTest?wsdl endlocal
without success.
I also tried exporting the certificate out of the cert.pfx file and then importing the certificate into cacerts via keytool -exportcert and keytool -importcert. Later I tried exporting the certificates from my browser (because my browser handles the certificates just fine and can access the https url). I exported the root certificate into a root.cer file and imported this .cer into my cacerts (I had to use a different alias than cert. With cert as alias i got a "Keys not matching" message in the console when using the keytool prompt).
A dump on cacerts shows that there is indeed an entry in cacerts. I dont get why java refuses to do a wsimport on the url.
In the end i just downloaded the url destination onto my machine and did the wsimport on the downloaded .xml-file and later changed the url parameters in the generated stubs. Doesnt help though, because when i run the application im running into the "PKIX...unable to find valid certification path to requested target" error.
Answer
You need to also import the *.der certificate to your keystore before trying to modify the jvm options.
Here's an overall summary of how to import certificates to fix the following error:
Error while trying to execute request. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How to import certificates
- Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
- Click "more info" > "security" > "show certificate" > "details" > "export..".
- Save as
.der - Repeat for any certificates you need to import
- Locate $JAVA_HOME/jre/lib/security/cacerts
Import all *.der files into the cacerts file using the following:
sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der sudo keytool -import -alias mysiteprod -keystore $JAVA_HOME/jre/lib/security/cacerts -file prod.der sudo keytool -import -alias mysitedev -keystore $JAVA_HOME/jre/lib/security/cacerts -file dev.derThe default keystore password is 'changeit'
You can view the change that you made with this command that shows the Certificate fingerprint.
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacertsIf this doesn't solve the problem, try adding these java options as arguments:
-Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts" -Djavax.net.ssl.trustStorePassword="changeit"