unable to find valid certification path to requested target或Certificate chaining error的解决办法

当我们通过客户端java程序访问一个运行HTTPS/SSL协议的服务器时，我们会遇到下面的错误：

unable to find valid certification path to requested target 或者

The certificate issued by ... is not trusted; internal cause is:java.security.cert.CertPathValidatorException: Certificate chaining error

通常这种情况下是因为服务器的部分或者全部证书 不是 由 证书颁发机构颁发的，而是自生成或者有其他私人机构颁发的，所以我们本地的truststore对服务器证书进行校验的时候

发现其不是可信的，因此报错。

下面是oracle官方对这个问题的一个解决办法：https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification

这时我们可以用官方提供的 InstallCert.java 把服务器的证书加入到本地的truststore，这样就可以了。

 

InstallCert.java的使用向导如下：

Java program written by Andreas Sterbenz, and posted on a blog in Oct, 2006:
https://blogs.oracle.com/gc/entry/unable_to_find_valid_certification

Link to Java program in Andreas' blog no longer works, but the source was linked in another blog:
http://nodsw.com/blog/leeland/2006/12/06-no-more-unable-find-valid-certification-path-requested-target

Usage:
Need to compile, first:
javac InstallCert.java

# Access server, and retrieve certificate (accept default certificate 1)
java InstallCert [host]:[port]

# Extract certificate from created jssecacerts keystore
keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer

# Import certificate into system keystore
keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer

# Example:
java InstallCert woot.com:443

    Loading KeyStore /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/security/cacerts...
    Opening connection to woot.com:443...
    Starting SSL handshake...

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    <...>

    Server sent 1 certificate(s):

     1 Subject O=Woot Inc, C=US, ST=Texas, L=Carrollton, CN=*.woot.com
       Issuer  CN=SecureTrust CA, O=SecureTrust Corporation, C=US
       sha1    4b 46 ca 6b 83 05 b3 51 ff c6 e7 9c fd b3 9b e3 3f 2e c4 53
       md5     e8 a5 88 1b d5 67 bb fc 88 cc b1 c5 2b ac c4 7d

    Enter certificate to add to trusted keystore or 'q' to quit: [1]

[enter]

    [
    [
      Version: V3
      Subject: O=Woot Inc, C=US, ST=Texas, L=Carrollton, CN=*.woot.com
      Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    <...>

    Added certificate to keystore 'jssecacerts' using alias 'woot.com-1'

keytool -exportcert -alias woot.com-1 -keystore jssecacerts -storepass changeit -file woot.com.cer

    geit -file woot.com.cer
    Certificate stored in file <woot.com.cer>
 
(sudo) keytool -importcert -alias woot.com -keystore /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/security/cacerts -storepass changeit -file woot.com.cer

    Owner: O=Woot Inc, C=US, ST=Texas, L=Carrollton, CN=*.woot.com
    Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
 
    <...>
 
    Trust this certificate? [no]:
 
yes

    Certificate was added to keystore