imported a certificate.pfx into cacerts and still getting "PKIX...unable to find valid certification path to requested target" error. What do?

Poly Morph picture Poly Morph · Jul 9, 2015 · Viewed 7.2k times · Source

I wrote a webservice client and now fail to get it to run through https. Although I imported the cert.pfx(alias=cert) into javas cacerts and succesfully added an entry with the certs alias.

Still i cant use the wsimport prompt on the wsdl url. It says: PKIX path building failed unable to find valid certification path to requested target. Well okay. So i researched a bit and tried setting it with

setlocal set _JAVA_OPTIONS=%_JAVA_OPTIONS%
-Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.7.0_79\jre\lib\security\cacerts"
-Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePassword=xxxxxxxxx -Djavax.net.ssl.keyStore="d:\cert.pfx" "C:\Program Files\Java\jdk1.7.0_79\bin\wsimport" -s C:\Users\me\keystore\bin\s
-keep https://service.xxxxxxxxxxx.de/xxxxxxxxxxxxTest?wsdl endlocal

without success.

I also tried exporting the certificate out of the cert.pfx file and then importing the certificate into cacerts via keytool -exportcert and keytool -importcert. Later I tried exporting the certificates from my browser (because my browser handles the certificates just fine and can access the https url). I exported the root certificate into a root.cer file and imported this .cer into my cacerts (I had to use a different alias than cert. With cert as alias i got a "Keys not matching" message in the console when using the keytool prompt).

A dump on cacerts shows that there is indeed an entry in cacerts. I dont get why java refuses to do a wsimport on the url.

In the end i just downloaded the url destination onto my machine and did the wsimport on the downloaded .xml-file and later changed the url parameters in the generated stubs. Doesnt help though, because when i run the application im running into the "PKIX...unable to find valid certification path to requested target" error.

Answer

Katie picture Katie · Oct 18, 2016

You need to also import the *.der certificate to your keystore before trying to modify the jvm options.

Here's an overall summary of how to import certificates to fix the following error:

Error while trying to execute request. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How to import certificates

  1. Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
    • Click "more info" > "security" > "show certificate" > "details" > "export..".
    • Save as .der
    • Repeat for any certificates you need to import
  2. Locate $JAVA_HOME/jre/lib/security/cacerts
  3. Import all *.der files into the cacerts file using the following:

    sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
    sudo keytool -import -alias mysiteprod -keystore  $JAVA_HOME/jre/lib/security/cacerts -file prod.der
    sudo keytool -import -alias mysitedev -keystore  $JAVA_HOME/jre/lib/security/cacerts -file dev.der
    
  4. The default keystore password is 'changeit'

  5. You can view the change that you made with this command that shows the Certificate fingerprint.

    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
    
  6. If this doesn't solve the problem, try adding these java options as arguments:

    -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
    -Djavax.net.ssl.trustStorePassword="changeit"