java - imported a certificate.pfx into cacerts and still getting "PKIX...unable to find valid certification path to requested target" error. What do? -


i wrote webservice client , fail run through https. although imported cert.pfx(alias=cert) javas cacerts , succesfully added entry certs alias.

still cant use wsimport prompt on wsdl url. says: pkix path building failed unable find valid certification path requested target. okay. researched bit , tried setting

setlocal set _java_options=%_java_options% -djavax.net.ssl.truststore="c:\program files\java\jdk1.7.0_79\jre\lib\security\cacerts" -djavax.net.ssl.truststorepassword=changeit -djavax.net.ssl.keystoretype=pkcs12 -djavax.net.ssl.keystorepassword=xxxxxxxxx -djavax.net.ssl.keystore="d:\cert.pfx" "c:\program files\java\jdk1.7.0_79\bin\wsimport" -s c:\users\me\keystore\bin\s -keep https://service.xxxxxxxxxxx.de/xxxxxxxxxxxxtest?wsdl endlocal

without success.

i tried exporting certificate out of cert.pfx file , importing certificate cacerts via keytool -exportcert , keytool -importcert. later tried exporting certificates browser (because browser handles certificates fine , can access https url). exported root certificate root.cer file , imported .cer cacerts (i had use different alias cert. cert alias got "keys not matching" message in console when using keytool prompt).

a dump on cacerts shows there indeed entry in cacerts. dont why java refuses wsimport on url.

in end downloaded url destination onto machine , did wsimport on downloaded .xml-file , later changed url parameters in generated stubs. doesnt though, because when run application im running "pkix...unable find valid certification path requested target" error.

you need import *.der certificate keystore before trying modify jvm options.

here's overall summary of how import certificates fix following error:

error while trying execute request. javax.net.ssl.sslhandshakeexception: sun.security.validator.validatorexception: pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable find valid certification path requested target

how import certificates

  1. go url in browser, click on https certificate chain (little lock symbol next url address) export certificate
    • click "more info" > "security" > "show certificate" > "details" > "export..".
    • save .der
    • repeat certificates need import
  2. locate $java_home/jre/lib/security/cacerts

  3. import *.der files cacerts file using following:

    sudo keytool -import -alias mysitestaging -keystore $java_home/jre/lib/security/cacerts -file staging.der sudo keytool -import -alias mysiteprod -keystore  $java_home/jre/lib/security/cacerts -file prod.der sudo keytool -import -alias mysitedev -keystore  $java_home/jre/lib/security/cacerts -file dev.der

  4. the default keystore password 'changeit'

  5. you can view change made command shows certificate fingerprint.

    keytool -list -keystore $java_home/jre/lib/security/cacerts

  6. if doesn't solve problem, try adding these java options arguments:

    -djavax.net.ssl.truststore="$java_home/jre/lib/security/cacerts" -djavax.net.ssl.truststorepassword="changeit"

-

Comments

Post a Comment