Pkix Path Building Failed: Unable to Find Valid Certification Path to Requested Target

PKIX path building failed and unable to find valid certification path to requested target

1. Go to URL in your browser:

• firefox - click on HTTPS certificate chain (the lock icon right next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer
• chrome - click on site icon left to address in address bar, select "Certificate" -> "Details" -> "Export" and save in format "Der-encoded binary, single certificate".

2. Now you have file with keystore and you have to add it to your JVM. Determine location of cacerts files, eg.
   C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts.

3. Next import the example.cer file into cacerts in command line (may need administrator command prompt):

keytool -import -alias example -keystore "C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts" -file example.cer

You will be asked for password which default is changeit

Restart your JVM/PC.

source:
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html

CXF:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The error was actually a CXF one and not a certificate one. Specifically, the Binding Provider actually ignores JAXWS properties and i had to pass the SSL context as shown below:

SSLContext sc = "your custom SSL Context"
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setUseHttpsURLConnectionDefaultSslSocketFactory(false);
tlsParams.setSSLSocketFactory(sc.getSocketFactory());

How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?

If you want to ignore the certificate all together then take a look at the answer here: Ignore self-signed ssl cert using Jersey Client

Although this will make your app vulnerable to man-in-the-middle attacks.

Or, try adding the cert to your java store as a trusted cert.
This site may be helpful.
http://blog.icodejava.com/tag/get-public-key-of-ssl-certificate-in-java/

Here's another thread showing how to add a cert to your store.
Java SSL connect, add server cert to keystore programmatically

The key is:

KeyStore.Entry newEntry = new KeyStore.TrustedCertificateEntry(someCert);
ks.setEntry("someAlias", newEntry, null);

Repeatedly getting PKIX path building failed and unable to find valid certification path to requested target

I am able to resolve this issue by replacing the cacert file. To be more precise I have replace cacert of Eclipse Adoptium\jdk-17.0.1.12-hotspot with Eclipse Adoptium\jre-8.0.312.7-hotspot to fix it.

Things to my surprises is that, After replacing new cacaert file I did not had to use keytool to load certificate manually. It's still mystery why old cacert file was causing trouble.

NOTE: Take backup of original cacert file before you replace with new one.

try this solution if still not resolved.

---

Related Topics