1

I want to connect to a https server which has a self signed certificate, without modifying my client code.

I know this question has been asked many times, but I couldn't get it to work. Here's what I've done:

  1. Open the https server in Firefox

  2. Click on the url info, then more info, then view certificate, then details, then click on export.

  3. Choose the default export type setting (X.509 Certificate (PEM), saved as certificate.crt), and save it to disk.

  4. Open a command prompt, go to the java_home folder used by the client code, which in my case is c:\jdk-7u55-windows-x64\jre\bin

  5. Enter the following command:

    keytool -import -v -trustcacerts
            -alias server-alias -file C:\Downloads\certificate.crt
            -keystore cacerts.jks -keypass changeit
            -storepass changeit

I also tried:

   keytool -import -v -trustcacerts
                    -alias server-alias2 -file C:\Downloads\certificate.crt
                    -keystore keystore.jks
  1. Restart the client application

After all of this, I still get a SSLHandshakeException (unable to find valid certification path to requested target). Full exception in log:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I don't know what I did wrong, what else to do or how to debug further.

PeteSpo
  • 11
  • 4
  • can you verify the certificate has been imported properly to the trust store. use the following command to list certificates in trust store. `keytool -list -keystore cacerts.jks` also please append the logs related to failure. – dammina Nov 27 '16 at 10:42
  • @dammina yes, the list command shows server-alias as being imported today. And the logs just show that SSLHandshakeException. I have added the full exception – PeteSpo Nov 27 '16 at 11:06
  • http://stackoverflow.com/questions/9210514/unable-to-find-valid-certification-path-to-requested-target-error-even-after-c – dammina Nov 27 '16 at 12:41

1 Answers1

0

Specifying absolute path to needed cacerts.jks should help. Current use of keytool just creates new .jks to your current directory which (i suppose) is c:\jdk-7u55-windows-x64\jre\bin. Default cacerts location is usualy at JAVA_HOME/jre/lib/security/cacerts. Alternatively you can use -Djavax.net.ssl.trustStore=<path to custom store> -Djavax.net.ssl.trustStorePassword=<custom store_passwd> as starting arguments of your app. More info

IrLED
  • 438
  • 2
  • 5