Unable to Validate Cacerts with the Signed Certificate while establishing SSL host connection

Question

I have created a custom cacerts with custom keystore and custom CA. I am just getting below exception message.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) ~[?:1.7.0_45]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) ~[?:1.7.0_45]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) ~[?:1.7.0_45]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) ~[?:1.7.0_45]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) ~[?:1.7.0_45]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) ~[?:1.7.0_45]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) ~[?:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) ~[?:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) ~[?:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) ~[?:1.7.0_45]
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) ~[?:1.7.0_45]
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) ~[?:1.7.0_45]
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) ~[?:1.7.0_45]

Answer 1

The exception just states that one of the certs in your certificate chain at server side in custom keystore is incorrectly issued/signed OR is not part of your custom cacerts file placed at client-side. Since there are untrusted certs in the chain, SSL handshake is failing due to an absence of a correct/good certification path. To understand the root cause of this issue, try extracting all intermediates, root certificates & private key certificates in PEM encoding format and run the below

Please note that below is completely dependent on OpenSSL being installed on your server. (run openssl version -a to reveal whether it's part of your server or not)

openssl verify -verbose -CAfile <(cat ServerCA1.pem ServerCA2.pem RootCA.pem)
pvtkey_hostORdns_cert.pem

You should observe error as o/p while executing the above command

If your server-side constitutes of multiple servers, then log into each host separately and run the above command. Refer to below sites for a deeper level of understanding on how to verify certs using openssl

[Source]: Verify a certificate chain using openssl verify OR check out a very good blog here :- https://mail.python.org/pipermail/cryptography-dev/2016-August/000676.html

Note: If you are having a java keystore and don't have the original certificates that were provided by the CA and have been imported into the custom keystore, first convert the JKS to PKCS12 using keytool and then extract the private key certificate.

keytool -importkeystore -srckeystore customeKeystore.jks -destkeystore customKeystore_pkcs.p12 -srcstoretype JKS - deststoretype PKCS12 

provide password as per prompt and avoid passing it in the command

and now use below to extract the certificate. openssl pkcs12 -in customKeystore_pkcs.p12 -nodes -out pvtkey_hostORdns_cert.pem use the same keytool utility to check out the newly generated PKCS12 keystore

keytool -list -v -keystore customKeystore_pkcs.p12 -storetype pkcs12

you can also view this file by using

openssl x509 -inform PEM -in pvtkey_hostORdns_cert.pem -noout -text