imported a certificate.pfx into cacerts and still getting "PKIX...unable to find valid certification path to requested target" error. What do?
Asked Answered
A

1

2

I wrote a webservice client and now fail to get it to run through https. Although I imported the cert.pfx(alias=cert) into javas cacerts and succesfully added an entry with the certs alias.

Still i cant use the wsimport prompt on the wsdl url. It says: PKIX path building failed unable to find valid certification path to requested target. Well okay. So i researched a bit and tried setting it with

setlocal set _JAVA_OPTIONS=%_JAVA_OPTIONS%
-Djavax.net.ssl.trustStore="C:\Program Files\Java\jdk1.7.0_79\jre\lib\security\cacerts"
-Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStorePassword=xxxxxxxxx -Djavax.net.ssl.keyStore="d:\cert.pfx" "C:\Program Files\Java\jdk1.7.0_79\bin\wsimport" -s C:\Users\me\keystore\bin\s
-keep https://service.xxxxxxxxxxx.de/xxxxxxxxxxxxTest?wsdl endlocal

without success.

I also tried exporting the certificate out of the cert.pfx file and then importing the certificate into cacerts via keytool -exportcert and keytool -importcert. Later I tried exporting the certificates from my browser (because my browser handles the certificates just fine and can access the https url). I exported the root certificate into a root.cer file and imported this .cer into my cacerts (I had to use a different alias than cert. With cert as alias i got a "Keys not matching" message in the console when using the keytool prompt).

A dump on cacerts shows that there is indeed an entry in cacerts. I dont get why java refuses to do a wsimport on the url.

In the end i just downloaded the url destination onto my machine and did the wsimport on the downloaded .xml-file and later changed the url parameters in the generated stubs. Doesnt help though, because when i run the application im running into the "PKIX...unable to find valid certification path to requested target" error.

Assert answered 9/7, 2015 at 14:25 Comment(4)
Is it a webservices which require a client authentication? What is the keystore youa re using with the -Djavax.net.ssl.keyStore option? Also, did you try to get the server's certificate-chain with the openSSL command line tool?Mazel
I will try out the openSSL suggestion. Also what is the keystore i should be using with djavax.net.ssl.keystore. I used the cert.pfx file. I also tried to leave it out and only use truststore -Djavax.net.ssl.trustStore=path to my cacerts. Isnt it redundant though? Arent im supposed to use the enviromentvariables, when i want java to explicitly load something else than its cacerts?Assert
I got it something to run. I exported the root certificate out of the chrome-browser (rightclick into browser and click "show site information" -> connections -> show certificates -> right registercard (pick root certificate)->middle registercard->copy into file->create .cer file) then i imported it into cacerts. Afterwards i was able to do a wsimport on the wsdl-url and also run my client against the server.(though i got http timeout errors)Assert
great! the keystore is used for the caller (the client in your case) to send a certificate to identify himself. If the server does not need an SSL-client-authentication, the client does not have to use the keystore. The truststore is use by the caller (the client in your case) to trust the called entity (the server in your case). For a simple SSL connection, without client authentication, only the truststore should be used on client-side. the cacerts is used by the JVM at launch-time if the "-Djavax.net.ssl.trustStore" option is not specified. So pointing it at your cacert is redundant.Mazel
P
2

You need to also import the *.der certificate to your keystore before trying to modify the jvm options.

Here's an overall summary of how to import certificates to fix the following error:

Error while trying to execute request. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How to import certificates

  1. Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
    • Click "more info" > "security" > "show certificate" > "details" > "export..".
    • Save as .der
    • Repeat for any certificates you need to import
  2. Locate $JAVA_HOME/jre/lib/security/cacerts
  3. Import all *.der files into the cacerts file using the following:

    sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
    sudo keytool -import -alias mysiteprod -keystore  $JAVA_HOME/jre/lib/security/cacerts -file prod.der
    sudo keytool -import -alias mysitedev -keystore  $JAVA_HOME/jre/lib/security/cacerts -file dev.der
    
  4. The default keystore password is 'changeit'

  5. You can view the change that you made with this command that shows the Certificate fingerprint.

    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
    
  6. If this doesn't solve the problem, try adding these java options as arguments:

    -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
    -Djavax.net.ssl.trustStorePassword="changeit"
    
Polytrophic answered 18/10, 2016 at 19:46 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.