javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
By: Ramlak Emailed: 686 times Printed: 1092 times
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Are you getting this error? This simply means that the web server or the URL you are connecting to does not have a valid certificate from an authorized CA. But however, being a programmer you would want to find out the alternative way to solve this issue.
What you need to do is to import the server certificate and install it in your JDK's keystore. If I am talking greek, its ok. I too just leant this. Just follow these steps and you will be able to get rid of that error.
- First of all you copy the URL that you are connecting to and paste it in your browser. Let us say you are using IE. Just paste the url in the address bar and press enter.
- You will now probably see a dialog box warning you about the certificate. Now click on the 'View Certificate' and install the certificate. Ignore any warning messages.
- Now that the server certificate is installed in your computer, your browser will not warn you when you visit the same site again. But however your JRE dumb as it is does not yet know about this certificate's existence until you add it to its keystore. Usually you will use the keytool to manage certificates. Keytool is a command-line utility with numerous arguments that allow you to create and manage keystores for housing digital certificates. For the complete documentation of keytool,http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
- You can list the current certificates contained within a keystore using they keytool -listcommand. The initial password for the cacerts keystore is changeit. For example:
C:\Program Files\Citrix\Citrix Extranet Server\SGJC\jre\bin>keytool -list -keystore ..\lib\security\cacerts
Enter keystore password: changeit
You will then see the something like this:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 11 entries:
engweb, Wed Apr 11 16:22:49 EDT 2001, trustedCertEntry,
Certificate fingerprint (MD5): 8C:24:DA:52:7A:4A:16:4B:8E:FB:67:44:C9:D2:E4:16
thawtepersonalfreemailca, Fri Feb 12 15:12:16 EST 1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
thawtepersonalbasicca, Fri Feb 12 15:11:01 EST 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
verisignclass3ca, Mon Jun 29 13:05:51 EDT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawteserverca, Fri Feb 12 15:14:33 EST 1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
thawtepersonalpremiumca, Fri Feb 12 15:13:21 EST 1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
verisignclass4ca, Mon Jun 29 13:06:57 EDT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
verisignclass1ca, Mon Jun 29 13:06:17 EDT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Mon Jun 29 13:07:34 EDT 1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, Fri Feb 12 15:15:26 EST 1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
verisignclass2ca, Mon Jun 29 13:06:39 EDT 1998, trustedCertEntry,
Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8
- Now you have to add the previosly installed certificate to this keystore. To add, begin by exporting your CA Root certificate as a DER-encoded binary file and save it as C:\root.cer. (you can view the installed certificates under Tools->'Internet Options' ->Content->Certificates. Once you open the certificates, locate the one you just installed under 'Trusted Root Certification Authorities". Select the right one and click on 'export'. You can now save it (DER encoded binary) under your c: drive.
- Then use the keytool -import command to import the file into your cacerts keystore.
For example:-alias myprivateroot -keystore ..\lib\security\cacerts -file c:\root.cer
Enter keystore password: changeit
Owner: CN=Division name, OU=Department, O=Your Company, L=Anytown,
ST=NC, C=US, EmailAddress=you@company.com
Issuer: CN=Division name, OU=Department, O=Your Company, L=Anytown,
ST=NC, C=US, EmailAddress=you@company.com
Serial number: 79805d77eecfadb147e84f8cc2a22106
Valid from: Wed Sep 19 14:15:10 EDT 2001 until: Mon Sep 19 14:23:20 EDT 2101
Certificate fingerprints:
MD5: B6:30:03:DC:6D:73:57:9B:F4:EE:13:16:C7:68:85:09
SHA1: B5:C3:BB:CA:34:DF:54:85:2A:E9:B2:05:E0:F7:84:1E:6E:E3:E7:68
Trust this certificate? [no]: yes
Certificate was added to keystore
- 7. Now run keytool -list again to verify that your private root certificate was added:
C:\Program Files\Citrix\Citrix Extranet Server\SGJC\jre\bin>keytool -list -keystore ..\lib\security\cacerts
You will now see a list of all the certificates including the one you just added.
This confirms that your private root certificate has been added to the Extranet server cacerts keystore as a trusted certificate authority.
If this tutorial doesn't answer your question, and you have a specific question, just ask an expert here. Post your question to get a direct answer.
Comments(53)
1. Thanks ! I found it very useful !
By: Rownak Ehsan at 2008-04-29 00:50:10
Show Comment
2. Hello, your post helped me a lot with solving my own problem. But I still have some open questions, e.g. how could I get the certificate without the browser.
But anyway, thanks.
By: Florian Brunner at 2008-06-26 08:59:42
Show Comment
3. Your post helped me to resolve the SSH exception..Thank you
By: Ashwini at 2008-07-14 12:47:32
Show Comment
4. Great!! But when I use wscompile to create stub,I get the following error :
javax.net.ssl.SSLKeyException: RSA premaster secret error
wscompile -keep -gen:client -d classes -s src config-wsdl.xml
error: modeler error: failed to parse document at "https://?WSDL":
javax.net.ssl.SSLKeyException: RSA premaster secret error
Thx
By: Baven at 2008-07-22 15:55:52
Show Comment
5. Thank you! This article helped me to solve this problem which I had no idea what to do with.
By: Stan Devyatovsky at 2008-09-12 05:20:20
Show Comment
6. Thx, this helped a lot.
How can I Import all the certificates from a old Java version to the new one?
today I updated to version xx.xxx.07 and all previous added certificates are gone in this Version.
Import everyone manually again is a little bit boring.
By: Marko at 2008-10-09 01:32:37
Show Comment
7. Thankx, the information was of great use, I appreciate the way things are explained
By: sachin at 2008-12-13 03:37:11
Show Comment
8. Thank You So Much ^,^
I get rid of that error
By: moji junk at 2009-02-24 07:48:19
Show Comment
9. Appriciated, The information is very useful and straight forward even for new developer.
By: Bala Gummadi at 2009-02-24 10:01:50
Show Comment
10. Thanks. Your post was clear and worked perfectly as I stumbled across this problem today.
Suma.
By: Suma at 2009-03-05 09:40:08
Show Comment
11. This is really helpful.
By: srikanth at 2009-03-11 08:04:04
Show Comment
12. Good ,I like here! I send gmail with javamail ,hava this exception ,it\'s very bad! who can help me!! thanks!
jackhexl@gmail.com
By: jackhexl at 2009-04-02 03:29:44
Show Comment
13. Thank you very much!!!
But I have the same error ("javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: ") yet :(
By: Gemis at 2009-04-14 02:37:08
Show Comment
14. Thanks a lot! This really helped!!!
By: SuperSeppel13 at 2009-04-14 04:25:06
Show Comment
15. Muchas gracias por compartir informacion. :)
By: Anonymous at 2009-05-21 08:48:47
Show Comment
16. Thanks it really works good
Continue
By: vipul at 2009-07-14 02:21:18
Show Comment
17. Your example is clear crisp and very helpful..
By: sridhar at 2009-08-06 08:41:14
Show Comment
18. Thanks a lot Ramlak! This is still very useful after 2 years of original posting today on 9 Aug 2009 !
Just one more question, if we don't have I.E. (e.g. firefox don't seem to have export option) how can i export the certificate?
Thanks.
By: Jacky at 2009-08-08 23:49:12
Show Comment
19. Thanks, it worked.
By: Deepak Varier at 2009-08-19 03:38:07
Show Comment
20. A big thanks to Ramlak for the detailed and crisp solution.
By: Chidanand Gangur at 2009-08-27 06:02:16
Show Comment
21. Gracias, it worked.
By: Eduardo at 2009-09-09 12:16:30
Show Comment
22. Nearly perfect help, but the path I had to use was $JAVA_HOME/jre/lib/security/cacerts instead of $JAVA_HOME/lib/security/cacerts
Thanks
Martin
By: Martin Zeltner at 2009-09-15 04:15:19
Show Comment
23. Thank you very much for your help!!
By: Ajay Singh at 2009-10-21 22:17:21
Show Comment
24. Hallo.
And if the certificate is self-signed so I haven't a CA root?
How do I have to proceed?
Thanks,
Mario
By: Mario at 2009-11-11 08:42:46
Show Comment
25. Just used InstallCert.java successfully so that my build server's Hudson could connect to Jira using the Hudson Jira plugin. My company's Jira instance is on SSL. Thanks!
By: Anthony Pelosi at 2009-12-30 15:52:17
Show Comment
26. Great details you provided here, very straight forward to follow. Cheers.
By: Jackie Wong at 2010-02-05 10:52:25
Show Comment
27. Thank you for Very good article.
By: Pakornsak S at 2010-02-08 04:35:05
Show Comment
28. Thank you for your help !
By: vadym at 2010-03-03 06:35:01
Show Comment
29. But I have the same error ("javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: ") yet
By: azeemuddin at 2010-03-04 07:25:33
Show Comment
30. This is by far the easiest way I have yet seem, many thanks. I was continually messing around trying to get SSL configured correctly and this will save me a lot of time and effort. I think I also had to restart the server for the JVM to pick up the new certificate.
By: doahh at 2010-03-08 11:23:48
Show Comment
31. Thanks. But I've also had to use $JAVA_HOME/jre/lib/security/cacerts
Thanks Martin Zeltner!
By: Alex at 2010-03-15 04:17:09
Show Comment
32. Thanks a lot! simple and clear explanation! Great!
By: Fabio Henrique at 2010-03-29 15:23:56
Show Comment
33. excellent, very clear, thx!!!
By: ma at 2010-04-07 07:42:47
Show Comment
34. Your post was very informative... Thanks a lot. My problem finally got solved
By: Rohit Shaw at 2010-04-12 04:29:02
Show Comment
35. Thanks
Your solution helped me a lot :)
By: sendhil at 2010-05-28 01:12:41
Show Comment
36. Your solution is really helped me. Thanks for your information.
By: Rajakumar at 2010-05-31 06:05:53
Show Comment
37. Thanks
muchas gracias
Excellent
By: Alfredo at 2010-05-31 09:00:36
Show Comment
38. Really great way of explanation..... :)
Thanks.....
By: akram at 2010-07-08 04:07:17
Show Comment
39. hi, Thanks to the post.
I am stuck on step 2. the warning dialog is not getting when try the same url on IE. And the certificate is not listed in Options->content..
any help ?
By: david_david at 2010-08-21 01:10:19
Show Comment
40. Thank you very much..
This helped me a lot.
By: Rabeea AS at 2010-11-15 00:28:29
Show Comment
41. Thank you very much. Very useful. You are the best....
By: lin at 2011-01-19 00:09:35
Show Comment
42. Your solution has really helped me and educated me. Thanks for the tips. :-)
By: Tziq at 2011-01-25 08:06:06
Show Comment
43. Awesome work! Ramlak, thank you for your help!
By: ico at 2011-03-21 04:23:11
Show Comment
44. Thank you, you save my day!!
By: jano at 2011-05-26 17:20:47
Show Comment
45. Thanks a lot lot lot for this... u saved me...
By: Sourabh Idoorkar at 2011-06-10 04:25:10
Show Comment
46. Thanks a lot for this very fruitful and amazingly fast
By: Gaurav Saxna at 2011-06-15 06:20:18
Show Comment
47.
hi,
How to create certificate from https://.... url which does not provide the certificate
thanks in advanced
By: CN Balu Ramesh at 2011-07-19 08:38:31
Show Comment
48. I dont want my client using my application to do all the steps you mentioned. Is there any other way??
By: zaffa at 2011-07-27 06:52:09
Show Comment
49. Thanks, very helpful. Worked perfectly.
By: Bob Knob at 2011-07-27 18:22:18
Show Comment
50. Dude, you made my day.
By: Sebastián at 2011-08-29 14:01:10
Show Comment
51. Thanks a lot lot lot for this, but when I run the application from the IDE e doesn't dive any exception and the strange thing is when I run from the command line I got the same exception
By: Kedjimo at 2011-10-06 06:13:10
Show Comment
52. Hi. When i click on Install certificate. It tells "The Import was successfull". And when i login to the site again it shows me the same certificate error and i dont see a citrix folder in my c:/Program Files folder... Need Help... Thanks in Advance!
By: jaris at 2011-10-18 11:00:41
Show Comment
53. Thank you very much you resolved my issue.
By: ketan at 2012-02-01 11:16:47
Show Comment
Most Viewed Articles (in Java Beans )
| Most Emailed Articles (in Java Beans)
|