Main Tutorials

SunCertPathBuilderException: unable to find valid certification path to requested target

1. Problem

Set up a localhost Tomcat to support SSL and deployed this web service for testing. While connecting to the deployed web service over SSL connection via this URL : https://localhost:8443/HelloWorld/hello?wsdl, it hits

Terminal

javax.net.ssl.SSLHandshakeException: 
   sun.security.validator.ValidatorException: PKIX path building failed: 
   sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
       
Caused by: sun.security.validator.ValidatorException: 
   PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
       
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target

2. Solution

The caused of the problem and solution are both well explained in this article

No more SUN
It’s on Github Now https://github.com/escline/InstallCert

P.S Creadit to users : Charles and Lúthien

2.1 Get InstallCert.java

2.2 Add Trusted Keystore
Run InstallCert.java, with your hostname and https port, and press 1 when ask for input. It will add your localhost as a trusted keystore, and generates a file jssecacerts

Terminal

C:\>java InstallCert localhost:8443
Loading KeyStore C:\Program Files\Java\jre6\lib\security\cacerts...
Opening connection to localhost:8443...
Starting SSL handshake...

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at InstallCert.main(InstallCert.java:87)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP
athBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:182)
        ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to reques
ted target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 15 more

Server sent 1 certificate(s):

 1 Subject CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   Issuer  CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   sha1    32 3e 15 42 96 ba e9 4d 9c 5d e7 5e 6b 0f 30 23 b4 e3 f4 98
   md5     c8 dd a1 af 9f 55 a0 7f 6e 98 10 de 8c 63 1b a5

Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

[
[
  Version: V3
  Subject: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 1129473579651954554552730664834664064459539051598864058082387115962631728819634110255367718769683451438528187
923246533854744470790959477657386037636238098777089479256059697784394926741427654735994678054030193662669088404706890444
59364523220747231216704221781747262219695262340353839314222273672957748320603247
  public exponent: 65537
  Validity: [From: Tue Dec 14 15:13:51 SGT 2010,
               To: Mon Mar 14 15:13:51 SGT 2011]
  Issuer: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
  SerialNumber: [    4d07192f]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 38 E4 F4 D9 51 B1 5F C1   01 13 32 79 DE 97 26 58  8...Q._...2y..&X
0010: 13 08 F1 A0 33 DB B9 90   AF EE 9E AE B9 9B 68 7D  ....3.........h.
0020: DF E8 7D 79 9D 92 24 4A   76 C9 4C 28 DA 68 B0 62  ...y..$Jv.L(.h.b
0030: FF AB 27 03 5C DD 1F C8   77 A2 25 18 DF 0C DC FD  ..'.\...w.%.....
0040: D3 39 5D 18 B4 BA 4B 36   8C FD C5 80 FF F2 E3 4D  .9]...K6.......M
0050: 0A 28 57 B9 04 D8 25 F6   FB CA DA 13 0C 36 FB 02  .(W...%......6..
0060: 9A B3 B1 28 46 D1 8E C7   D9 1A 5B CE BB A6 6F FD  ...(F.....[...o.
0070: 6D F2 35 D9 95 43 6E 38   2A 56 E7 31 21 D9 F0 90  m.5..Cn8*V.1!...

]

Added certificate to keystore 'jssecacerts' using alias 'localhost-1'

2.3 Verify Trusted Keystore
Try run the InstallCert command again, the connection should be ok now.


C:\>java InstallCert localhost:8443
Loading KeyStore jssecacerts...
Opening connection to localhost:8443...
Starting SSL handshake...

No errors, certificate is already trusted

Server sent 1 certificate(s):

 1 Subject CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   Issuer  CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my
   sha1    32 3e 15 42 96 ba e9 4d 9c 5d e7 5e 6b 0f 30 23 b4 e3 f4 98
   md5     c8 dd a1 af 9f 55 a0 7f 6e 98 10 de 8c 63 1b a5

Enter certificate to add to trusted keystore or 'q' to quit: [1]
q
KeyStore not changed

C:\>

2.4 Copy jssecacerts
Copy the generated jssecacerts file to your $JAVA_HOME\jre\lib\security folder.

Run your web service client again, it should be working now.

References

About Author

author image
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

Subscribe
Notify of
115 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
CodeJunkie
6 years ago

The above steps returns me error once I executed InsertCert as

Loading KeyStore /Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/jre/lib/security/cacerts...
Opening connection to localhost:8443...
Exception in thread "main" java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:427)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:88)
at programs.General.InstallCert.main(InstallCert.java:87)

bala vijay
3 years ago
Reply to  CodeJunkie

can any one please share soltion to above I am also experiencing same issue

vignesh kumar
8 years ago

G:>java InstallCert localhost:7070

Hi Guys am getting this error. please help me..

Loading KeyStore G:JDK7.0jrelibsecuritycacerts…

Opening connection to localhost:7070…

Starting SSL handshake…

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java

)

at sun.security.ssl.InputRecord.read(InputRecord.java:504)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketI

java:1312)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:

)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:

)

at InstallCert.main(InstallCert.java:57)

Could not obtain server certificate chain

G:>

Charles
6 years ago

https://github.com/escline/InstallCert

I have used this generator and works fine!

Mohamed
10 years ago

I have added the certificates to jssecacerts and checked the jssecacerts and my certificates are listed . but i still get the same error.

mani
6 years ago
Reply to  Mohamed

is there any way to generate the certificate

Dhruv Sahu
2 years ago

There is a problem which i am facing while implementing this :

PS C:\certificates> java InstallCert localhost:8080
Error: Could not find or load main class InstallCert

PS C:\certificates> java InstallCert.java localhost:8080
Error: Could not find or load main class InstallCert.java

Dhruv Sahu
2 years ago
Reply to  Dhruv Sahu

I am using windows.

Lúthien
6 years ago

Brilliant! This issue fazed me for some time, but got it fixed via this article .. just update the link to the utility, it’s on Github now: https://github.com/escline/InstallCert/issues

Animesh Srivastava
4 years ago

Please update the blog

Tarek
1 year ago

Not sure if I understand everything mentioned in this article, but it worked for me. I was improving existing code to call a REST service to get a token, but could not test it on my local environment. After following the steps, it just worked. However, why it was working when pointing to JDK 18? I got the errors shown in the article above only when pointing to JDK 1.8. Can anyone explain why?

amit
1 year ago

great work

Vinay Martala
2 years ago

Certificate for <veishydcnt00718> doesn’t match any of the subject alternative names: []

i am facing above error after the above steps

Alejandro Tejada
3 years ago

Thank you very much! I really don’t have experience configuring HTTP server. So do you know where I can get more info about https, ssl within IIS server?

Phani G
3 years ago

Thanks a lot man

Ffatheranderson
4 years ago

Thank you very much… I waste one hour of my time googling and trying different not working solutions… This only one that helped.
Thank you Mkyong. I am occasionally reading your blog for a 5 years and your posts are really helpful most of the times, you compete with Baeldong 🙂

vishal
4 years ago

java InstallCert localhost : 8084

Loading KeyStore C:\Program Files\Java\jre1.8.0_192\lib\security\cacerts…
Opening connection to localhost:8084

Exception in thread “main” java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
at sun.security.ssl.SSLSocketImpl.(Unknown Source)
at sun.security.ssl.SSLSocketFactoryImpl.createSocket(Unknown Source)
at InstallCert.main(InstallCert.java:94)
could you plase help me in this

Yamuna
4 years ago

D:\>java InstallCert 165.225.104.32:10223
Loading KeyStore C:\Program Files\Java\jre1.8.0_181\lib\security\cacerts…
Opening connection to 165.225.104.32:10223…
Starting SSL handshake…
Exception in thread “main” java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at InstallCert.main(InstallCert.java:98)

Can u please resolve this issue

Muhammad Nasir
4 years ago

thanks guru…love your solution. it saved my life

Neha Naaz
4 years ago

Hi mkyong, I have read the above article and it has solved the problem at my workplace. Thank you!
But I have just followed the steps. I did not understand the cause of this issue. Could you please help me understand it in a detailed way.

sunny
5 years ago

We are using Quovadis certifcate on server and their validity is only one year i.e it always renew every year.
We are creating certificate on client side by using InstallCert but this client side certificate is also valid for one year. How we can create cleint side certifcate that is not dependent upon duration.

Juhi Udhale
5 years ago

Hello, I am facing issue

C:\>java InstallCert localhost:8082
Loading KeyStore C:\Program Files (x86)\Java\jre1.8.0_151\lib\security\cacerts..
.
Opening connection to localhost:8082…
Starting SSL handshake…
Exception in thread “main” java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at InstallCert.main(InstallCert.java:98)

dieyovic
5 years ago

great i got it!!!!thanks

asdf
5 years ago

java.net.ConnectException: Connection refused error

Brant
6 years ago

Quick question — I run this and it generates a certificate but it’s an expired certificate with unknown values for the Issuer and Subject. Any ideas as to why this would be?

Anthony
6 years ago

Hello, this work perfectly in netbeans, but it doesn’t work when I execute the command: java -jar … pls help me

Lekshmana M
7 years ago

After lot of struggling get this links and this methods works well.. thanks for sharing

Andre
7 years ago

This guy and his tutorials always make me smiles.

This tutorial works fine with me.
Thanks for sharing

lp
8 years ago

May I know how long does this Cert can last for?

lp
8 years ago
Reply to  lp

Nice tutorial! Found that the default valid period of the Cert is 1 year. How can I change the default period?

Eli Cloyd
8 years ago

getting a 404 on all the links 🙁