How to resolve PKIX Path Building Issue

In this blog, we learn how to resolve PKIX path-building Issue.
While developing some application, we might sometimes come across the below error which the maven throws while building the application:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Reason

• The error is due to the system firewall. The system firewall restricts the application to connect to external unsecured systems. The firewall requires a valid certificate to allow access to the external systems.

Cause

• Whenever Java attempts to connect to another application over SSL (e.g.: HTTPS, IMAPS, LDAPS) then it will only be able to connect to that application if it can trust it. The way trust is handled in the Java world is that you have a Keystore, also known as the trust store. This contains a list of all known Certificate Authority (CA) certificates. Java will only trust certificates.

Resolution

• The solution is very simple. We just need to install the required certificates of the external system in our system so the firewall allows us to interact with the external system and complete our process.
  • We are going to perform two activities:
    • Download the Certificate.
    • Install the Certificate.

To download the certificate, follow the below steps:

• Take the particular URL from the error and copy it to a browser (In the above error the URL).
• Now to the left of the URL, there is a lock icon (). Click on this icon and a window will pop up. From the window, select the certificate.
• Once we select the certificate, it will redirect to another window. From there we have to select the Details tab and from the Details click on Copy to File. After clicking again, a new window will pop up. In that window, select next.
• After we perform all the above steps, we will be redirected to a new window where we need to select the format for the certificate. We will have to choose DER encoded binary and click on Next.
• Now we need to choose a location where we need to save the certificate and we also need to give some name to the certificate.
• Once a File name is given and saved, then select Next. It will direct us to another window showing the details. If all the details are correct, click on Finish. A export Success pop up will appear.

So, the downloading of certificates is done. Now the next process is to install the certificate in the cacerts file of the jdk installed in our system using the command line.

Installation of the Certificate from Command line:

• Go to the JDK security folder.

• Command for installation: keytool -importcert -alias <alias name for the certificate> -file <path were we have save the certificate> –keystore cacerts

• For me the Command will be in Window: keytool -importcert -alias cer10 -file C:\Users\prajjawalk\Documents\cer\cer10.cer -keystore cacerts
• For me the Command will be in Ubuntu: sudo keytool -importcert -alias cer10 -file /mnt/c/Users/prajjawalk/Documents/cer/cer10.cer -keystore cacert

Note: 

For Window :

• I am using openjdk 11.0.11 so the cacerts file path for my system is “C:\Program Files\Java\jdk-11.0.11\lib\security\cacerts”. It may differ for you based on your system and jdk version.
• I have given the alias name as cer10 and the path where I save my certificate is C:\Users\prajjawalk\Documents\cer\cer10.cer

For Ubuntu :

• I am using openjdk 11.0.11 so the cacerts file path for my system is “/usr/lib/jvm/java-11-openjdk-amd64/lib/security$”. It may differ for you based on your system and jdk version.
• I have given the alias name as cer10 and the path where I save my certificate is  /mnt/c/Users/prajjawalk/Documents/cer/cer10.cer

To install the certificate, follow the below steps:

• Open Command Prompt as an Administrator and use the command for installation and press enter.
• Enter the Password – changeit
• Once the command is executed, it will ask for confirmation. Write Yes and the certificate will be install with confirmation.

In the above process, we have downloaded and installed the certificate successfully in our system.

Now if we will execute the application it will not show certificate issues and will also download the required data from that particular system.