0

I build a Java Application for testing data on a Local Server. The server is using https to communicate. It has a self signed certificate and i added it to cacerts so my application knows that it will be accepted.

It works on my PC and some others perfectly fine, but one user gets this error:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I searched for this issue on internet a lot, but could find only some things to import the certificate into keystore via keytool. What i did. The problem is, that i cant import the certificates to each java runtime who uses my tool.

The main question is, if I build an artifact and use it on another PC which keystore will be asked if certificate is valid. The one I build it with or the one which is installed on the system of user. If the later, how can I assure that the certificate will be accepted.

(I don't want to use trust all methods etc. Only the one I want to)

I use Apache CloseableHttpClient and JDK 8.

Alexander Dauer
  • 51
  • 6
  • You will have to distribute your own truststore (.jks) that includes your trusted certificate with the app. You can tell the HTTP Client then to use your own truststore. Look for the `Custom SSL Context` example on the [Documentation](https://hc.apache.org/httpcomponents-client-ga/examples.html) – Sebastian Feb 13 '19 at 12:38
  • So if the app is build it does not automatically trust the builder keystore? – Alexander Dauer Feb 13 '19 at 13:08
  • Java trusts only certificates in the jre's default truststore `cacerts`. You either import the certificate into this truststore on every machine you are running your app, or you provide your own truststore and tell java to use it. – Sebastian Feb 13 '19 at 13:22

1 Answers1

1

if I build an artifact and use it on another PC which keystore will be asked if certificate is valid. The one I build it with or the one which is installed on the system of user.

The one that is installed on the system of the user. There is nothing called builder keystore, when you build the app, the cacerts file in the JRE will not be bundled into your final app artifact, the app will trust by default all the certificates present in the cacerts file at runtime where the app is running, which could be the same machine where you built your app or a different machine.

how can I assure that the certificate will be accepted.

You can create your your own truststore and tell java to use your newly created truststore instead of the default one that is located at your_JRE_foler\lib\security\cacerts.

You can specify your own truststore through JVM system properties e.g. as follow:-Djavax.net.ssl.trustStore=/path/to/your/store/my-cacerts but be careful your application will no more trust all the default certificates since you are no more pointing to the default JRE cacerts file.

If you want to combine your own store and the default JRE cacerts store, then you need to provide a custom KeyManager implementation, check this answer: Using a custom truststore in java as well as the default one

mkhayata
  • 327
  • 1
  • 3
  • 11