InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

4
votes

I am getting this weird error from my java code:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

The command I used to generate the keystore: keytool -genkey -alias tomcat -keystore keystore.jks

Here is my java code:

import java.security.cert.PKIXParameters;
import java.security.KeyStore;
import java.io.FileInputStream;

public class MyKeyTest {
    public static void main(String[] args) throws Exception {
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        String password = "mypass";
        ks.load(new FileInputStream("keystore.jks"), password.toCharArray());
        new PKIXParameters(ks);
    }
}

I tried to google around for this error but mostly it says this happens when keystore was not found or is not permissive to be read.

But neither of these two cases is true in my case. Any ideas?

1
javakeytoolpki
If you 'generated' the keystore by that one command, only, you have one privatekey entry and no trustedcert entries. docs.oracle.com/javase/7/docs/api/java/security/cert/… says it throws InvalidAlgorithmParameterException - if the keystore does not contain at least one trusted certificate entry . - dave_thompson_085
How do I add trustedcert entries using keytool? - bohanl
See docs.oracle.com/javase/7/docs/technotes/tools/windows/… specifically -importcert for a cert from a file (to a unique -alias NOT the/a privatekey entry) or -importkeystore from another JKS already containing a trustedcert entry (or several). In particular every Suncle JRE (or JDK) install comes with a default truststore in JRE/lib/security/cacerts with several dozen established CA roots. - dave_thompson_085

1 Answers

1
votes

Some brief and simplified background just case it's not clear. The PKIXParameters object is used for client certificate validation. This is a way for you to allow or disallow access to your web resources. The way this typically works is that

  • you have a list of certificate authority (CA) certificates you trust (this is your trust store).
  • your application asks the client to provide a digital certificate (the client certificate)
  • the client cert will include the CA certificate which signed the client cert. If the CA certificate is on your list, the client passes the validation.

The keystore.jks file is your trust store. Your trust store does not currently contain any certificates(just a useless private key). To add a ca certificate you would use this command

keytool -import -alias <an alias for the CA cert> -file <the trusted CA cert> -keystore <your keystore>

As an example, export a CA certificate from your browser to a file and then import it into your trust store

  • Go to your control panel/internet options/Content tab and click on certificates.
  • select the "Trusted Root Certificate Authorities" tab and select a certificate (for example the "Microsoft Root Certificate Authority")
  • click export and save it to file (for this example I used "msroot.cer").

  • at your command prompt run the following command

    keytool -import -alias msroot -file msroot.cer -keystore keystore.jks

Now when your run your java code using this updated keystore.jks, it should run just fine.