Java – sun.security.validator.ValidatorException: PKIX path building failed

certificatejavajksssl

I have Created CSR request using this command :

openssl req -out certificatecsr.csr -new -newkey rsa:2048 -keyout certificatekey.key

After that CA has shared certificate(.cer) file with me.

Now after that i have converted .cer file to .p12 using key.

Creating a .p12 certificate using cer sent by CA and private key

C:\Java\jdk1.6.0_38\jre\bin>openssl pkcs12 -export -in C:\Users\asharma1\cert.cer -inkey certificatekey.key -out

certi.p12

Creating JKS keystore :

keytool -genkey -alias quid -keystore quid.jks

importing .p12 certificate into jks keystore

C:\Java\jdk1.6.0_38\jre\bin>keytool -v -importkeystore -srckeystore C:\OpenSSL-Win64\bin\certi.p12 -srcstoretype PKCS12

-destkeystore quid.jks -deststoretype JKS

but when i am referring this JKS from my java code i am getting this error :

sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have also added cer file to cacerts.but still getting the same error.

As far as JAVA code is concerned i am refering this link to refer my own created keystore :

http://jcalcote.wordpress.com/2010/06/22/managing-a-dynamic-java-trust-store/

public SSLContext getSSLContext(String tspath) 
        throws Exception {

      TrustManager[] trustManagers = new TrustManager[] { 

        new ReloadableX509TrustManager(tspath) 
      };
      SSLContext sslContext = SSLContext.getInstance("TLS");

      sslContext.init(null, trustManagers, null);

      return sslContext;

    }

SSLContext sslContext=getSSLContext("C:\\Java\\jdk1.6.0_38\\jre\\bin\\quid.jks");
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
URL pickUrl = new URL(pickupLocation);
URLConnection urlConn = pickUrl.openConnection();
HttpsURLConnection httpsURLConn = (HttpsURLConnection)urlConn;
httpsURLConn.setSSLSocketFactory(socketFactory);
String encoding = urlConn.getContentEncoding();   
InputStream is = urlConn.getInputStream();    
InputStreamReader streamReader = new InputStreamReader(is, encoding != null
? encoding : "UTF-8");

Please note i am not using any server. I am trying ti run above written code thorugh main method only.

Please let me know what need to be done.
Why do i need to convert my .cer file to .p12 file ?

Best Answer

I would suggest you import CA certificate (or whole chain of CA and intermediate CAs) to keystore.

I think that p12 was imported fine. What I am suggesting is import of the chain to keystore. At least that is what the error message is saying.

I presume that:

  • the root CA in the chain is not trusted so chain building fails or
  • there is no AIA section in certificates in the chain so no certificates up to trusted root CA can be fetched so chain building fails or
  • the certificates are not being fetched based on AIA because it is not implemented in java (I am not a java programmer) so chain building fails

You could use portecle to import missing trusted CA certificates (not end entity cartificate that you have in .p12 or in separate .cer file that you received from issuing CA). It is more user friendly than keytool. Just follow this guide.

Related Topic