sun.security.validator.ValidatorException: PKIX path building failed

1
votes

I have Created CSR request using this command :

openssl req -out certificatecsr.csr -new -newkey rsa:2048 -keyout certificatekey.key

After that CA has shared certificate(.cer) file with me.

Now after that i have converted .cer file to .p12 using key.

Creating a .p12 certificate using cer sent by CA and private key

C:\Java\jdk1.6.0_38\jre\bin>openssl pkcs12 -export -in C:\Users\asharma1\cert.cer -inkey certificatekey.key -out

certi.p12

Creating JKS keystore :

keytool -genkey -alias quid -keystore quid.jks

importing .p12 certificate into jks keystore

C:\Java\jdk1.6.0_38\jre\bin>keytool -v -importkeystore -srckeystore C:\OpenSSL-Win64\bin\certi.p12 -srcstoretype PKCS12

-destkeystore quid.jks -deststoretype JKS

but when i am referring this JKS from my java code i am getting this error :

sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have also added cer file to cacerts.but still getting the same error.

As far as JAVA code is concerned i am refering this link to refer my own created keystore :

http://jcalcote.wordpress.com/2010/06/22/managing-a-dynamic-java-trust-store/

public SSLContext getSSLContext(String tspath) 
        throws Exception {

      TrustManager[] trustManagers = new TrustManager[] { 

        new ReloadableX509TrustManager(tspath) 
      };
      SSLContext sslContext = SSLContext.getInstance("TLS");

      sslContext.init(null, trustManagers, null);

      return sslContext;

    }

SSLContext sslContext=getSSLContext("C:\\Java\\jdk1.6.0_38\\jre\\bin\\quid.jks");
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
URL pickUrl = new URL(pickupLocation);
URLConnection urlConn = pickUrl.openConnection();
HttpsURLConnection httpsURLConn = (HttpsURLConnection)urlConn;
httpsURLConn.setSSLSocketFactory(socketFactory);
String encoding = urlConn.getContentEncoding();   
InputStream is = urlConn.getInputStream();    
InputStreamReader streamReader = new InputStreamReader(is, encoding != null
? encoding : "UTF-8");

Please note i am not using any server. I am trying ti run above written code thorugh main method only.

Please let me know what need to be done. Why do i need to convert my .cer file to .p12 file ?

2
javasslcertificatejks
This doesn't make any sense. You have to generate the private key first. Then the CSR. Then get it signed. Then recombine it with the private key.user207421
@EJP command openssl req -out certificatecsr.csr -new -newkey rsa:2048 -keyout certificatekey.key creates a new certificate request and a new private key based on documentation herepepo
So why exactly are you using 'keytool -genkey'?user207421
@EJP That's exactly what is happening. First generating private key and csr and then getting signed by CA and after that combing it with private key to form .p12 keystore.After that converting it to JKS store.Anil Sharma
No. 'keytool -genkey' creates a new key. See the documentation. Your command sequence doesn't make sense.user207421

2 Answers

2
votes

I would suggest you import CA certificate (or whole chain of CA and intermediate CAs) to keystore.

I think that p12 was imported fine. What I am suggesting is import of the chain to keystore. At least that is what the error message is saying.

I presume that:

  • the root CA in the chain is not trusted so chain building fails or
  • there is no AIA section in certificates in the chain so no certificates up to trusted root CA can be fetched so chain building fails or
  • the certificates are not being fetched based on AIA because it is not implemented in java (I am not a java programmer) so chain building fails

You could use portecle to import missing trusted CA certificates (not end entity cartificate that you have in .p12 or in separate .cer file that you received from issuing CA). It is more user friendly than keytool. Just follow this guide.

1
votes

I would suggest you use the *.der format instead of the .p12 format.

Here's an overall summary of how to import certificates to fix the following error:

Error while trying to execute request. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

How to import certificates

  1. Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate
    • Click "more info" > "security" > "show certificate" > "details" > "export..".
    • Save as .der
    • Repeat for any certificates you need to import
  2. Locate $JAVA_HOME/jre/lib/security/cacerts

  3. Import all *.der files into the cacerts file using the following:

    sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
sudo keytool -import -alias mysiteprod -keystore  $JAVA_HOME/jre/lib/security/cacerts -file prod.der
sudo keytool -import -alias mysitedev -keystore  $JAVA_HOME/jre/lib/security/cacerts -file dev.der

  4. The default keystore password is 'changeit'

  5. You can view the change that you made with this command that shows the Certificate fingerprint.

    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

  6. If this doesn't solve the problem, try adding these java options as arguments:

    -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
-Djavax.net.ssl.trustStorePassword="changeit"