handshake

Sometimes you need to connect your Java application to a SSL server and you can get this error

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
	at sun.security.validator.Validator.validate(Validator.java:218)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1053)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:529)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1147)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1131)

What you’re application is telling you is that it doesn’t trust in the other server. The solution is very simple, you just need to install the server certificate in your Java keystore

First you have to download the certificate but only the part that you need to install in the keystore. Here’s a command that will do it for you

openssl s_client -connect https://www.url.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > url.cert

The next thing to do is install the certificate in the keystore

keytool -import -noprompt -trustcacerts -alias urlcert -file url.cert -keystore /path/to/keystore.jks -storepass keystorepass

And it’s done. If you want to verify that it’s installed you can use the next command

keytool -list -v -keystore /path/to/keystore.jks -storepass keystorepass