sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Question

I am having a web application on Apache Tomcat 7 and I have untrusted certificate on my web application. My web application has to communicate with another web application that is using https. However I always get this exception:

Failed to make connection: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I download the crt files from the browser from another application and I imported in jks keystore of my tomcat server.

Here is the configuration from server.xml file:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLSv1.2" keystoreFile="/opt/apache/apache-tomcat-7.0.55-test/conf/portalnew.jks"  keystorePass="changeit" keyAlias="portalnew"/>

When I type

keytool -list -v -keystore portalnew.jks

I can see the crt files that I have added.

Also I added the crt files in cacerts.jks

Answer 1

You need to configure your tomcat to trust this certificates. That could be achived by:

1. create new java keystore (could be named by: tomcat.truststore)
2. import all necessary certificates to the tomcat.truststore

3. add additional attributes in tomcat connector - server.xml file

   truststoreFile="conf/store/tomcat.truststore" truststorePass="TruststorePassword"

4. in your CATALINA_OPTS variable add:

-Djavax.net.ssl.trustStore=/opt/tomcat/conf/store/tomcat.truststore -Djavax.net.ssl.trustStorePassword=TruststorePassword

adjust your password to in the commands above

5. restart tomcat

Answer 2

I fix it by adding the .crt files in cacerts, not in cacerts.jks