0

I don't think this is a duplicate of questions like this one because the certificates are recognized by java.

For testing-purposes, I have generated an own root-CA and a certificate like this:

Own Root-CA -> Intermediate CA -> My Certificate

I created a keystore with it and I'm successfully using that keystore in my java-server to serve encrypted content (using Jetty in an Eclipse application). I can call my rest-api using SSL with Firefox (after adding the Intermediate CA) just fine, everything works.

However, I can't call my Rest-API from another Java-Application (using javax.ws.rs) because the certificate-chain seems to be wrong.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If I inspect the exception details, I can see, that the SunCertPathBuilderException contains my Client-Certificate and the Intermediate CA-Certificate, but not the Root-CA-Certificate (in the field adjList).

Why doesn't the application find the Root-CA? I guess that is the problem here, but the Root-CA is in the keystore and I'm using the same keystore for the server, so I know it should be correct.

Community
  • 1
  • 1
looper
  • 1,929
  • 23
  • 42

1 Answers1

1

Clients need to specify the trustStore not the keyStore, eg.:

    Path trustStorePath = ...;
    System.setProperty("javax.net.ssl.trustStore", trustStorePath.toString());
    System.setProperty("javax.net.ssl.trustStorePassword", "<some password>");

You can use the following system property to get more information about your SSL configuration:

   System.setProperty("javax.net.debug", "ssl");
Puce
  • 37,247
  • 13
  • 80
  • 152
  • Thank you. In the end, this was not the real problem (Eclipse was ignoring the wildfly settings), but I feel that your answer is absolutely correct. (And in fact it helped me because I noticed that the debug output was missing) – looper Mar 10 '16 at 08:24